From 7984107515cb119c3defb61e5bcbfd17e681d580 Mon Sep 17 00:00:00 2001 From: Amarnath Valluri Date: Thu, 2 Feb 2017 12:42:44 +0200 Subject: [PATCH 01/24] refkit-distro: bitbake configuration changes to support usrmerge Flatpack based refkit application framework demands merging of root folders(/bin, /sbin, /lib*) to their /usr counterparts. This requires the changes to default bitbake configuration to point all base_{lib,bin,sbin}dir variables to /usr. Upstream patches put on hold: http://lists.openembedded.org/pipermail/openembedded-core/2017-February/133169.html http://lists.openembedded.org/pipermail/openembedded-core/2017-February/133170.html Signed-off-by: Amarnath Valluri --- meta-refkit/conf/distro/include/usrmerge.inc | 32 ++++++++++++++++++++ meta-refkit/conf/distro/refkit.conf | 2 ++ 2 files changed, 34 insertions(+) create mode 100644 meta-refkit/conf/distro/include/usrmerge.inc diff --git a/meta-refkit/conf/distro/include/usrmerge.inc b/meta-refkit/conf/distro/include/usrmerge.inc new file mode 100644 index 0000000000..744af4722f --- /dev/null +++ b/meta-refkit/conf/distro/include/usrmerge.inc @@ -0,0 +1,32 @@ +#enable merged /usr +REFKIT_DEFAULT_DISTRO_FEATURES += "usrmerge" + +# Change the configuration to point all base folder to /usr +export base_bindir = "${base_prefix}/usr/bin" +export base_sbindir = "${base_prefix}/usr/sbin" +export base_libdir = "${base_prefix}/usr/${baselib}" +export nonarch_base_libdir = "${base_prefix}/usr/lib" + +#nativesdk +base_bindir_nativesdk = "${bindir_nativesdk}" +base_sbindir_nativesdk = "${sbindir_nativesdk}" +base_libdir_nativesdk = "${libdir_nativesdk}" + +target_base_libdir_class-cross = "${target_base_prefix}/usr/lib" + +# Disable split-usr support in systemd and point the rootprefix to /usr +EXTRA_OECONF_append_pn-systemd = " --disable-split-usr" +rootprefix_pn-systemd = "${exec_prefix}" + +# Most of shell scripts refer to '#!/bin/{sh,bash}' inside the script. But, when +# root folders(/bin, /lib, /sbin) merged with their /usr counterparts this path +# would be /usr/bin/{sh, bash}. The builder complains that 'no package provides +# '/bin/{sh/bash}''. So to satisfy builder adding '/bin/{sh,bash}' to bash, +# busybox package providers list. This is a temporary hack till we get a +# solution from oe-core +# Links to Upstream patches: +# http://lists.openembedded.org/pipermail/openembedded-core/2017-February/133148.html +# http://lists.openembedded.org/pipermail/openembedded-core/2017-February/133149.html + +RPROVIDES_bash_append_pn-bash = " /bin/bash /bin/sh" +RPROVIDES_busybox_append_pn-busybox = " /bin/sh" diff --git a/meta-refkit/conf/distro/refkit.conf b/meta-refkit/conf/distro/refkit.conf index a0662ac69c..4d089d0f53 100644 --- a/meta-refkit/conf/distro/refkit.conf +++ b/meta-refkit/conf/distro/refkit.conf @@ -194,3 +194,5 @@ PACKAGE_ARCH_pn-rhino = "${TUNE_PKGARCH}" # re-use uninative shim released by Yocto Project / OE require conf/distro/include/yocto-uninative.inc INHERIT += "uninative" + +require conf/distro/include/usrmerge.inc \ No newline at end of file From 7de10cc4e1e404e41ed14d5ad9305fa22dea6c16 Mon Sep 17 00:00:00 2001 From: Amarnath Valluri Date: Thu, 23 Mar 2017 16:13:56 +0200 Subject: [PATCH 02/24] refkit-image, refkit-initramfs: Create symlinks needed for usrmerge Prepare the root symlinks required for runtime at the time of rootfs creation. The assumption is that in usrmerged distro, no package installs files in /bin,/sbin and /lib* folders. Upstream Patches: http://lists.openembedded.org/pipermail/openembedded-core/2017-February/133166.html Signed-off-by: Amarnath Valluri --- meta-refkit-core/classes/refkit-image.bbclass | 40 +++++++++++++++++++ .../recipes-images/images/refkit-initramfs.bb | 9 +++++ 2 files changed, 49 insertions(+) diff --git a/meta-refkit-core/classes/refkit-image.bbclass b/meta-refkit-core/classes/refkit-image.bbclass index da59c0bd67..340c19ce24 100644 --- a/meta-refkit-core/classes/refkit-image.bbclass +++ b/meta-refkit-core/classes/refkit-image.bbclass @@ -523,3 +523,43 @@ EOF fi } ROOTFS_POSTPROCESS_COMMAND += "refkit_image_system_serialgetty; " + +# Prepare the symlinks required for merged /usr at the time of rootfs creation. + +# The links created in rootfs are: +#/bin --> /usr/sbin +#/sbin --> /usr/sbin +#/lib --> /usr/lib +#/lib64 --> /usr/lib64 + +# We cannot make these symlinks as part of 'base-files' or some other package. +# Because at rootfs creation, installation of the package(say kernel) that +# depends on these root folders/links fails, if package manager installs this +# package prior to base-files. + +# These symbolic links in top level folder should present as long as +# - kerenl tools use /lib/{module,firmware} +# - shell scripts uses +#upstream commit waiting for review: +# http://lists.openembedded.org/pipermail/openembedded-core/2017-February/133151.html +create_merged_usr_symlinks() { + install -m 0755 -d ${IMAGE_ROOTFS}/${base_bindir} + install -m 0755 -d ${IMAGE_ROOTFS}/${base_sbindir} + install -m 0755 -d ${IMAGE_ROOTFS}/${base_libdir} + lnr ${IMAGE_ROOTFS}${base_bindir} ${IMAGE_ROOTFS}/bin + lnr ${IMAGE_ROOTFS}${base_sbindir} ${IMAGE_ROOTFS}/sbin + lnr ${IMAGE_ROOTFS}${base_libdir} ${IMAGE_ROOTFS}/${baselib} + + if [ "${nonarch_base_libdir}" != "${base_libdir}" ]; then + install -m 0755 -d ${IMAGE_ROOTFS}/${nonarch_base_libdir} + lnr ${IMAGE_ROOTFS}${nonarch_base_libdir} ${IMAGE_ROOTFS}/lib + fi + + # create base links for multilibs + multi_libdirs="${@d.getVar('MULTILIB_VARIANTS')}" + for d in $multi_libdirs; do + install -m 0755 -d ${IMAGE_ROOTFS}/${exec_prefix}/$d + lnr ${IMAGE_ROOTFS}/${exec_prefix}/$d ${IMAGE_ROOTFS}/$d + done +} +ROOTFS_PREPROCESS_COMMAND += "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', 'create_merged_usr_symlinks; ', '',d)}" diff --git a/meta-refkit-core/recipes-images/images/refkit-initramfs.bb b/meta-refkit-core/recipes-images/images/refkit-initramfs.bb index 96b04a0513..8e4c9c85d1 100644 --- a/meta-refkit-core/recipes-images/images/refkit-initramfs.bb +++ b/meta-refkit-core/recipes-images/images/refkit-initramfs.bb @@ -68,3 +68,12 @@ IMA_EVM_ROOTFS_SIGNED = "-maxdepth 0 -false" IMA_EVM_ROOTFS_HASHED = "-maxdepth 0 -false" IMA_EVM_ROOTFS_CLASS = "${@bb.utils.contains('IMAGE_FEATURES', 'ima', 'ima-evm-rootfs', '',d)}" inherit ${IMA_EVM_ROOTFS_CLASS} + +create_merged_usr_links() { + mkdir -p ${IMAGE_ROOTFS}${libdir} ${IMAGE_ROOTFS}${bindir} ${IMAGE_ROOTFS}${sbindir} + lnr ${IMAGE_ROOTFS}${libdir} ${IMAGE_ROOTFS}/${baselib} + lnr ${IMAGE_ROOTFS}${bindir} ${IMAGE_ROOTFS}/bin + lnr ${IMAGE_ROOTFS}${sbindir} ${IMAGE_ROOTFS}/sbin +} +ROOTFS_PREPROCESS_COMMAND += "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', 'create_merged_usr_links;', '', d)}" + From 53babb1c8e82cfa031c1dd38a6b1b4c2732ba4e3 Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 6 Jun 2017 13:47:45 +0300 Subject: [PATCH 03/24] util-linux_%.bbappend: get rid of conflict with usrmerge enabled. Get rid of conflicting /usr/sbin/nologin when usrmerge DISTRO_FEATURE is enabled. Signed-off-by: Krisztian Litkey --- .../util-linux/util-linux_%.bbappend | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/meta-refkit-core/recipes-core/util-linux/util-linux_%.bbappend b/meta-refkit-core/recipes-core/util-linux/util-linux_%.bbappend index e061203936..ec68da27f3 100644 --- a/meta-refkit-core/recipes-core/util-linux/util-linux_%.bbappend +++ b/meta-refkit-core/recipes-core/util-linux/util-linux_%.bbappend @@ -7,3 +7,20 @@ DEPENDS_remove_class-native_refkit-config = "lzo-native" DEPENDS_remove_class-nativesdk_refkit-config = "lzo-native" DEPENDS_append_class-native_refkit-config = " lz4-native" DEPENDS_append_class-nativesdk_refkit-config = " lz4-native" + +# nologin can come from two separate sources, shadow and util-linux. +# Normally these do not conflict, the one from shadow goes into /sbin, +# the one from util-linux goes into /usr/sbin. With usrmerge enabled, +# however, /sbin is symlinked to /usr/sbin and these start conflicting. +# If that happens, we make util-linux get out of the way by removing +# its nologin. +# +# Ideally we probably should make sure first that shadow is enabled to +# ensure we don't end up without any /{usr/,}sbin/nologin. + +do_install_append () { + if [ -n "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', 'y', '', d)}" ]; + then + rm -f ${D}${sbindir}/nologin + fi +} From 2ab5593c0efb8b2f09dfae9b98038e197dd84b2c Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 6 Jun 2017 16:54:35 +0300 Subject: [PATCH 04/24] fuse: let overriding base_sbindir have the proper effect. Set MOUNT_FUSE_PATH explicitly to ${base_sbindir} before configure. Making this explicit will let people override base_sbindir with the desired effect, for instance when ussrmerge DISTRO_FEATURE is enabled. Upstream-Status: Submitted [openembedded-devel@lists.openembedded.org] Signed-off-by: Krisztian Litkey --- meta-refkit-core/recipes-support/fuse/fuse_2.%.bbappend | 9 +++++++++ .../conf/distro/include/refkit-supported-recipes.txt | 1 + 2 files changed, 10 insertions(+) create mode 100644 meta-refkit-core/recipes-support/fuse/fuse_2.%.bbappend diff --git a/meta-refkit-core/recipes-support/fuse/fuse_2.%.bbappend b/meta-refkit-core/recipes-support/fuse/fuse_2.%.bbappend new file mode 100644 index 0000000000..7ffec0ac1e --- /dev/null +++ b/meta-refkit-core/recipes-support/fuse/fuse_2.%.bbappend @@ -0,0 +1,9 @@ +# With usrmerge enabled, we need to let FUSE know where to put its mount. +FUSE_MOUNT_PATH = "${@bb.utils.contains('DISTRO_FEATURES', 'usrmerge', \ + '/usr/sbin', '/sbin', d)}" + +do_configure_prepend() { + export MOUNT_FUSE_PATH="${FUSE_MOUNT_PATH}" +} + +# Upstream-Status: Submitted [openembedded-devel@lists.openembedded.org] diff --git a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt index 31edb9110a..2841391b79 100644 --- a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt +++ b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt @@ -97,6 +97,7 @@ fontconfig@core fontsproto@core formfactor@core freetype@core +fuse@filesystems-layer gawk@core gcc-runtime@core gcc@core From 4e553ce08c1ef6642f7523260165d285b5b2a3f7 Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 6 Jun 2017 13:54:00 +0300 Subject: [PATCH 05/24] quilt: override awk path to /usr/bin/awk, disable sendmail. quilts autodetection of awk seems to incorrectly pick up gawk (haven't checked but I guess from the host) even when we don't have gawk enabled. Override autodetection by manually setting it to /usr/bin/awk. Signed-off-by: Krisztian Litkey --- meta-refkit-core/recipes-devtools/quilt/quilt_%.bbappend | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 meta-refkit-core/recipes-devtools/quilt/quilt_%.bbappend diff --git a/meta-refkit-core/recipes-devtools/quilt/quilt_%.bbappend b/meta-refkit-core/recipes-devtools/quilt/quilt_%.bbappend new file mode 100644 index 0000000000..ee15a75025 --- /dev/null +++ b/meta-refkit-core/recipes-devtools/quilt/quilt_%.bbappend @@ -0,0 +1,4 @@ +EXTRA_OECONF += " \ + --without-sendmail \ + --with-awk=/usr/bin/awk \ +" From 48a90929a262d1c32f7f87b65e3e26b590407dcb Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 6 Jun 2017 17:16:39 +0300 Subject: [PATCH 06/24] gpgme,gnupg: add gpgme, gnupg and their dependencies (for ostree signing). Added bbappends with native support (where needed), and declared as supported recipes gpgme and gnupg along with its missing dependencies libksba, npth, and pinentry. These are necessary to support signing commits in ostree. Signed-off-by: Krisztian Litkey --- meta-refkit-core/recipes-support/gnupg/gnupg_2.%.bbappend | 3 +++ meta-refkit-core/recipes-support/libksba/libksba_%.bbappend | 3 +++ meta-refkit-core/recipes-support/npth/npth_%.bbappend | 3 +++ .../recipes-support/pinentry/pinentry_%.bbappend | 3 +++ .../conf/distro/include/refkit-supported-recipes.txt | 6 ++++++ 5 files changed, 18 insertions(+) create mode 100644 meta-refkit-core/recipes-support/gnupg/gnupg_2.%.bbappend create mode 100644 meta-refkit-core/recipes-support/libksba/libksba_%.bbappend create mode 100644 meta-refkit-core/recipes-support/npth/npth_%.bbappend create mode 100644 meta-refkit-core/recipes-support/pinentry/pinentry_%.bbappend diff --git a/meta-refkit-core/recipes-support/gnupg/gnupg_2.%.bbappend b/meta-refkit-core/recipes-support/gnupg/gnupg_2.%.bbappend new file mode 100644 index 0000000000..ddf373c147 --- /dev/null +++ b/meta-refkit-core/recipes-support/gnupg/gnupg_2.%.bbappend @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-refkit-core/recipes-support/libksba/libksba_%.bbappend b/meta-refkit-core/recipes-support/libksba/libksba_%.bbappend new file mode 100644 index 0000000000..65f4e2b51d --- /dev/null +++ b/meta-refkit-core/recipes-support/libksba/libksba_%.bbappend @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +BBCLASSEXTEND = "native" diff --git a/meta-refkit-core/recipes-support/npth/npth_%.bbappend b/meta-refkit-core/recipes-support/npth/npth_%.bbappend new file mode 100644 index 0000000000..65f4e2b51d --- /dev/null +++ b/meta-refkit-core/recipes-support/npth/npth_%.bbappend @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +BBCLASSEXTEND = "native" diff --git a/meta-refkit-core/recipes-support/pinentry/pinentry_%.bbappend b/meta-refkit-core/recipes-support/pinentry/pinentry_%.bbappend new file mode 100644 index 0000000000..65f4e2b51d --- /dev/null +++ b/meta-refkit-core/recipes-support/pinentry/pinentry_%.bbappend @@ -0,0 +1,3 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +BBCLASSEXTEND = "native" diff --git a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt index 2841391b79..0573262eab 100644 --- a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt +++ b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt @@ -118,8 +118,10 @@ gmp@core gnome-desktop-testing@core gnu-config@core gnu-efi@core +gnupg@core gnutls@core gobject-introspection@core +gpgme@core gptfdisk@core grep@core gstreamer1.0-plugins-bad@core @@ -163,6 +165,7 @@ kmod@core krb5@openembedded-layer libaio@core libarchive@core +libassuan@core libatomic-ops@core libcap@core libcgroup@core @@ -189,6 +192,7 @@ libice@core libidn@core libinput@core libjpeg-turbo@core +libksba@core libmicrohttpd@soletta libmpc@core libnl@core @@ -269,6 +273,7 @@ ncurses@core netbase@core nettle@core nodejs@iotweb +npth@core ocl-icd@refkit-computervision oe-swupd-helpers@meta-swupd opencl-headers@refkit-computervision @@ -284,6 +289,7 @@ packagegroup-.*@refkit.* pango@core pciutils@core perl@core +pinentry@core pixman@core pkgconfig@core pointercal-xinput@core From a9d7422b8472a55b3a5ea87e1ab7e41a8d7a8b4c Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 6 Jun 2017 13:45:46 +0300 Subject: [PATCH 07/24] glib-networking,libsoup: provide native packages (for ostree). Added bbappends to provide native packages and declared as supported recipes. These are needed by ostree-native. Signed-off-by: Krisztian Litkey --- .../glib-networking_%.bbappend | 33 +++++++++++++++++++ .../libsoup/libsoup-2.4_%.bbappend | 5 +++ 2 files changed, 38 insertions(+) create mode 100644 meta-refkit-core/recipes-core/glib-networking/glib-networking_%.bbappend create mode 100644 meta-refkit-core/recipes-support/libsoup/libsoup-2.4_%.bbappend diff --git a/meta-refkit-core/recipes-core/glib-networking/glib-networking_%.bbappend b/meta-refkit-core/recipes-core/glib-networking/glib-networking_%.bbappend new file mode 100644 index 0000000000..789120d5aa --- /dev/null +++ b/meta-refkit-core/recipes-core/glib-networking/glib-networking_%.bbappend @@ -0,0 +1,33 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +# Make sure we compile with ca-certificates support enabled. +PACKAGECONFIG_append = " ca-certificates" + +DEPENDS += "ca-certificates" +RDEPENDS_${PN} += "ca-certificates" + +# We need native version for ostree-/flatpak-native. +BBCLASSEXTEND = "native" + +# OE-core's relocatable.bbclass assumes that every package which +# ends up creating a ${libdir}/pkgconfig directory in its sysroot +# will always also install .pc-files there and tries to uncondi- +# tionally update paths in those files using globbing that fails +# if no such files are present. This presumption is not true for +# glib-networking which happens to create a directory by dereferencing +# a GIO pkgconfig variable which in turn is defined relative to +# the pkgconfig directory (${pcfiledir}/../...), causing pkgconfig +# to get created. +# +# Could be worked around in the upatream recipe but since that +# does not provide/create native versions of the package and since +# this problem is related to native packages, we work around it here. +# +do_install_append_class-native () { + for _pc in ${D}${libdir}/pkgconfig/*.pc; do + case $_pc in + *'*.pc') rm -fr ${D}${libdir}/pkgconfig;; + *.pc) break;; + esac + done +} diff --git a/meta-refkit-core/recipes-support/libsoup/libsoup-2.4_%.bbappend b/meta-refkit-core/recipes-support/libsoup/libsoup-2.4_%.bbappend new file mode 100644 index 0000000000..c08342ae86 --- /dev/null +++ b/meta-refkit-core/recipes-support/libsoup/libsoup-2.4_%.bbappend @@ -0,0 +1,5 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +DEPENDS += "glib-networking" + +BBCLASSEXTEND = "native" From f70c2d96345c2245897d6f15ff995b4479fa4bdc Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 6 Jun 2017 17:26:53 +0300 Subject: [PATCH 08/24] ostree: add recipe for ostree. Added recipe for ostree and declared it as a supported recipes. Signed-off-by: Krisztian Litkey --- ...back-to-no-gtkdocize-if-it-is-there-.patch | 32 +++++++++++ .../recipes-flatpak/ostree/ostree_git.bb | 57 +++++++++++++++++++ .../include/refkit-supported-recipes.txt | 1 + 3 files changed, 90 insertions(+) create mode 100644 meta-refkit-core/recipes-flatpak/ostree/ostree/0001-autogen.sh-fall-back-to-no-gtkdocize-if-it-is-there-.patch create mode 100644 meta-refkit-core/recipes-flatpak/ostree/ostree_git.bb diff --git a/meta-refkit-core/recipes-flatpak/ostree/ostree/0001-autogen.sh-fall-back-to-no-gtkdocize-if-it-is-there-.patch b/meta-refkit-core/recipes-flatpak/ostree/ostree/0001-autogen.sh-fall-back-to-no-gtkdocize-if-it-is-there-.patch new file mode 100644 index 0000000000..1dd655064a --- /dev/null +++ b/meta-refkit-core/recipes-flatpak/ostree/ostree/0001-autogen.sh-fall-back-to-no-gtkdocize-if-it-is-there-.patch @@ -0,0 +1,32 @@ +From 6a025e5eb379ae4b813eedba43f622abd8244ade Mon Sep 17 00:00:00 2001 +From: Krisztian Litkey +Date: Sat, 10 Sep 2016 22:15:21 +0300 +Subject: [PATCH] autogen.sh: fall back to no gtkdocize if it is there but + fails. + +--- + autogen.sh | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/autogen.sh b/autogen.sh +index 0f32089..00f5069 100755 +--- a/autogen.sh ++++ b/autogen.sh +@@ -25,7 +25,13 @@ EXTRA_DIST = + CLEANFILES = + EOF + else +- gtkdocize ++ gtkdocize || { ++ rm -f gtk-doc.make ++ cat > gtk-doc.make < Date: Tue, 6 Jun 2017 17:11:21 +0300 Subject: [PATCH 09/24] bubblewrap: addded recipe for bubblewrap (form flatpak). Added recipe for bubblewrap and declared it as a supported recipe. It is needed by flatpak. Signed-off-by: Krisztian Litkey --- .../bubblewrap/bubblewrap_git.bb | 25 +++++++++++++++++++ .../include/refkit-supported-recipes.txt | 1 + 2 files changed, 26 insertions(+) create mode 100644 meta-refkit-core/recipes-flatpak/bubblewrap/bubblewrap_git.bb diff --git a/meta-refkit-core/recipes-flatpak/bubblewrap/bubblewrap_git.bb b/meta-refkit-core/recipes-flatpak/bubblewrap/bubblewrap_git.bb new file mode 100644 index 0000000000..e97d15c8d9 --- /dev/null +++ b/meta-refkit-core/recipes-flatpak/bubblewrap/bubblewrap_git.bb @@ -0,0 +1,25 @@ +DESCRIPTION = "Helper binary for running applications sandboxed." +HOMEPAGE = "https://github.com/projectatomic/bubblewrap" +LICENSE = "GPLv2" +LIC_FILES_CHKSUM = "file://COPYING;md5=5f30f0716dfdd0d91eb439ebec522ec2" + +DEPENDS = "libcap" + +SRC_URI = " \ + git://git@github.com/projectatomic/bubblewrap;protocol=https \ +" +SRCREV = "3ebe54af1b2acb702381ec9b5610b60758d3d163" + +PV = "2016.8+git${SRCPV}" +S = "${WORKDIR}/git" + +inherit autotools pkgconfig systemd +AUTO_LIBNAME_PKGS = "" + +# possible package configurations +PACKAGECONFIG ??= "" + +EXTRA_OECONF_class-target += "--disable-man --without-bash-completion-dir" +EXTRA_OECONF_class-native += "--disable-man --without-bash-completion-dir" + +BBCLASSEXTEND = "native" diff --git a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt index bb7443136a..871465700a 100644 --- a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt +++ b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt @@ -54,6 +54,7 @@ bison@core bluez5@core boost@core bsdiff@meta-swupd +bubblewrap@refkit-core busybox@core bzip2@core ca-certificates@core From a1812840b08dbd416fbf352b8d8df8823a1c0617 Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 6 Jun 2017 17:28:49 +0300 Subject: [PATCH 10/24] flatpak: added recipe for flatpak. Added recipe for flatpak and declared it as a supported recipe. Signed-off-by: Krisztian Litkey --- ...back-to-no-gtkdocize-if-it-is-there-.patch | 32 +++++ ...mand-to-include-command-line-options.patch | 46 ++++++ ...g-command-line-argument-through-laun.patch | 135 ++++++++++++++++++ .../recipes-flatpak/flatpak/flatpak_git.bb | 85 +++++++++++ .../include/refkit-supported-recipes.txt | 2 + 5 files changed, 300 insertions(+) create mode 100644 meta-refkit-core/recipes-flatpak/flatpak/flatpak/0001-autogen.sh-fall-back-to-no-gtkdocize-if-it-is-there-.patch create mode 100644 meta-refkit-core/recipes-flatpak/flatpak/flatpak/0002-common-Allow-command-to-include-command-line-options.patch create mode 100644 meta-refkit-core/recipes-flatpak/flatpak/flatpak/0003-lib-Allow-passing-command-line-argument-through-laun.patch create mode 100644 meta-refkit-core/recipes-flatpak/flatpak/flatpak_git.bb diff --git a/meta-refkit-core/recipes-flatpak/flatpak/flatpak/0001-autogen.sh-fall-back-to-no-gtkdocize-if-it-is-there-.patch b/meta-refkit-core/recipes-flatpak/flatpak/flatpak/0001-autogen.sh-fall-back-to-no-gtkdocize-if-it-is-there-.patch new file mode 100644 index 0000000000..98db980016 --- /dev/null +++ b/meta-refkit-core/recipes-flatpak/flatpak/flatpak/0001-autogen.sh-fall-back-to-no-gtkdocize-if-it-is-there-.patch @@ -0,0 +1,32 @@ +From 448424558b9cd3978fd61801172d76fa334d9a53 Mon Sep 17 00:00:00 2001 +From: Krisztian Litkey +Date: Sat, 10 Sep 2016 22:35:06 +0300 +Subject: [PATCH 1/3] autogen.sh: fall back to no gtkdocize if it is there but + fails. + +--- + autogen.sh | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/autogen.sh b/autogen.sh +index 1cd3cee..c3a7bd4 100755 +--- a/autogen.sh ++++ b/autogen.sh +@@ -37,7 +37,13 @@ else + # gtkdocize needs the macro directory to exist before + # we call autoreconf + mkdir -p m4 +- gtkdocize || exit $? ++ gtkdocize || { ++ rm -f gtk-doc.make ++ cat > gtk-doc.make < +Date: Fri, 4 Nov 2016 10:38:50 +0200 +Subject: [PATCH 2/3] common: Allow command to include command line + options/arguments. + +Allow command from the command line or from a metadata file to +contain options and arguments. Split the command by space and +add all the resulting arguments to the real argument array. + +Signed-off-by: Krisztian Litkey +--- + common/flatpak-run.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/common/flatpak-run.c b/common/flatpak-run.c +index 0cef78a..03e98f9 100644 +--- a/common/flatpak-run.c ++++ b/common/flatpak-run.c +@@ -4498,6 +4498,7 @@ flatpak_run_app (const char *app_ref, + g_autoptr(GPtrArray) real_argv_array = NULL; + g_auto(GStrv) envp = NULL; + const char *command = "/bin/sh"; ++ gchar **argv, *arg; + g_autoptr(GError) my_error = NULL; + g_auto(GStrv) runtime_parts = NULL; + int i; +@@ -4687,7 +4688,14 @@ flatpak_run_app (const char *app_ref, + NULL); + } + +- g_ptr_array_add (real_argv_array, g_strdup (command)); ++ argv = g_strsplit (command, " ", -1); ++ for (i = 0; (arg = argv[i]); i++) ++ g_ptr_array_add (real_argv_array, g_strdup (arg)); ++ g_strfreev(argv); ++ ++ for (i = 0; i < n_args; i++) ++ g_ptr_array_add (real_argv_array, g_strdup (args[i])); ++ + if (!add_rest_args (app_ref_parts[1], exports, (flags & FLATPAK_RUN_FLAG_FILE_FORWARDING) != 0, + doc_mount_path, + real_argv_array, args, n_args, error)) +-- +2.7.4 + diff --git a/meta-refkit-core/recipes-flatpak/flatpak/flatpak/0003-lib-Allow-passing-command-line-argument-through-laun.patch b/meta-refkit-core/recipes-flatpak/flatpak/flatpak/0003-lib-Allow-passing-command-line-argument-through-laun.patch new file mode 100644 index 0000000000..c30dd64339 --- /dev/null +++ b/meta-refkit-core/recipes-flatpak/flatpak/flatpak/0003-lib-Allow-passing-command-line-argument-through-laun.patch @@ -0,0 +1,135 @@ +From 559597e3687bd1cebb70ebcd55e674e0df9a9390 Mon Sep 17 00:00:00 2001 +From: Krisztian Litkey +Date: Fri, 4 Nov 2016 10:38:22 +0200 +Subject: [PATCH 3/3] lib: Allow passing command line argument through launch. + +Added a new function flatpak_installation_launch_with_args which is +actually a copy of the original flatpak_installation_launch slightly +modified to allow passing argument to the launched application. Also +changed the original flatpak_installation_launch to call this new +function with 0, NULL as the argument list. + +Signed-off-by: Krisztian Litkey +--- + lib/flatpak-installation.c | 58 ++++++++++++++++++++++++++++++++++++++-------- + lib/flatpak-installation.h | 9 +++++++ + 2 files changed, 57 insertions(+), 10 deletions(-) + +diff --git a/lib/flatpak-installation.c b/lib/flatpak-installation.c +index 12803d7..370c854 100644 +--- a/lib/flatpak-installation.c ++++ b/lib/flatpak-installation.c +@@ -492,16 +492,18 @@ flatpak_installation_get_storage_type (FlatpakInstallation *self) + } + + /** +- * flatpak_installation_launch: ++ * flatpak_installation_launch_with_args: + * @self: a #FlatpakInstallation + * @name: name of the app to launch + * @arch: (nullable): which architecture to launch (default: current architecture) + * @branch: (nullable): which branch of the application (default: "master") + * @commit: (nullable): the commit of @branch to launch ++ * @argc: number of command line arguments to pass to the application ++ * @argv: (nullable): command line arguments to pass to the application + * @cancellable: (nullable): a #GCancellable + * @error: return location for a #GError + * +- * Launch an installed application. ++ * Launch an installed application with the given arguments. + * + * You can use flatpak_installation_get_installed_ref() or + * flatpak_installation_get_current_installed_app() to find out what builds +@@ -510,13 +512,15 @@ flatpak_installation_get_storage_type (FlatpakInstallation *self) + * Returns: %TRUE, unless an error occurred + */ + gboolean +-flatpak_installation_launch (FlatpakInstallation *self, +- const char *name, +- const char *arch, +- const char *branch, +- const char *commit, +- GCancellable *cancellable, +- GError **error) ++flatpak_installation_launch_with_args (FlatpakInstallation *self, ++ const char *name, ++ const char *arch, ++ const char *branch, ++ const char *commit, ++ int argc, ++ char *argv[], ++ GCancellable *cancellable, ++ GError **error) + { + g_autoptr(FlatpakDir) dir = flatpak_installation_get_dir (self); + g_autofree char *app_ref = NULL; +@@ -539,11 +543,45 @@ flatpak_installation_launch (FlatpakInstallation *self, + NULL, + FLATPAK_RUN_FLAG_BACKGROUND, + NULL, +- NULL, 0, ++ argv, argc, + cancellable, error); + } + + ++/** ++ * flatpak_installation_launch: ++ * @self: a #FlatpakInstallation ++ * @name: name of the app to launch ++ * @arch: (nullable): which architecture to launch (default: current architecture) ++ * @branch: (nullable): which branch of the application (default: "master") ++ * @commit: (nullable): the commit of @branch to launch ++ * @cancellable: (nullable): a #GCancellable ++ * @error: return location for a #GError ++ * ++ * Launch an installed application. ++ * ++ * You can use flatpak_installation_get_installed_ref() or ++ * flatpak_installation_get_current_installed_app() to find out what builds ++ * are available, in order to get a value for @commit. ++ * ++ * Returns: %TRUE, unless an error occurred ++ */ ++gboolean ++flatpak_installation_launch (FlatpakInstallation *self, ++ const char *name, ++ const char *arch, ++ const char *branch, ++ const char *commit, ++ GCancellable *cancellable, ++ GError **error) ++{ ++ return flatpak_installation_launch_with_args(self, name, ++ arch, branch, commit, ++ 0, NULL, ++ cancellable, error); ++} ++ ++ + static FlatpakInstalledRef * + get_ref (FlatpakDir *dir, + const char *full_ref, +diff --git a/lib/flatpak-installation.h b/lib/flatpak-installation.h +index 089d510..c5d352b 100644 +--- a/lib/flatpak-installation.h ++++ b/lib/flatpak-installation.h +@@ -148,6 +148,15 @@ FLATPAK_EXTERN gboolean flatpak_installation_launch (FlatpakInstalla + const char *commit, + GCancellable *cancellable, + GError **error); ++FLATPAK_EXTERN gboolean flatpak_installation_launch_with_args (FlatpakInstallation *self, ++ const char *name, ++ const char *arch, ++ const char *branch, ++ const char *commit, ++ int argc, ++ char *argv[], ++ GCancellable *cancellable, ++ GError **error); + FLATPAK_EXTERN GFileMonitor *flatpak_installation_create_monitor (FlatpakInstallation *self, + GCancellable *cancellable, + GError **error); +-- +2.7.4 + diff --git a/meta-refkit-core/recipes-flatpak/flatpak/flatpak_git.bb b/meta-refkit-core/recipes-flatpak/flatpak/flatpak_git.bb new file mode 100644 index 0000000000..14b2f8141b --- /dev/null +++ b/meta-refkit-core/recipes-flatpak/flatpak/flatpak_git.bb @@ -0,0 +1,85 @@ +DESCRIPTION = "Versioned Application/Runtime Respository." +HOMEPAGE = "http://flatpak.org" +LICENSE = "LGPLv2.1" +LIC_FILES_CHKSUM = "file://COPYING;md5=4fbd65380cdd255951079008b364516c" + +SRC_URI = " \ + gitsm://git@github.com/flatpak/flatpak;protocol=https \ + file://0001-autogen.sh-fall-back-to-no-gtkdocize-if-it-is-there-.patch \ + file://0002-common-Allow-command-to-include-command-line-options.patch \ + file://0003-lib-Allow-passing-command-line-argument-through-laun.patch \ +" + +SRCREV = "1a49029f9d8fbee0338665522cf7432ae7485841" + +PV = "0.9.3+git${SRCPV}" +S = "${WORKDIR}/git" + +inherit autotools pkgconfig gettext systemd gobject-introspection + +DEPENDS = " \ + glib-2.0 json-glib libsoup-2.4 libarchive elfutils fuse \ + ostree libassuan libgpg-error bubblewrap systemd \ +" + +DEPENDS_class-native = " \ + glib-2.0-native libsoup-2.4-native json-glib-native libarchive-native \ + elfutils-native fuse-native ostree-native \ + libassuan-native libgpg-error-native bubblewrap-native \ +" + +RDEPENDS_${PN}_class-target = " \ + bubblewrap \ + ca-certificates \ +" + +AUTO_LIBNAME_PKGS = "" + +# package configuration +PACKAGECONFIG ?= "" + +PACKAGECONFIG[seccomp] = "--enable-seccomp,--disable-seccomp,seccomp" +PACKAGECONFIG[x11] = "--enable-xauth,--disable-xauth,x11" +PACKAGECONFIG[system-helper] = "--enable-system-helper,--disable-system-helper,poklit" + +EXTRA_OECONF += " \ + --disable-docbook-docs \ + --disable-gtk-doc-html \ + --disable-documentation \ + --with-systemdsystemunitdir=${systemd_unitdir}/system \ +" + +# package content +PACKAGES =+ " \ + ${PN}-build \ + ${PN}-bash-completion \ + ${PN}-gdm \ +" + +FILES_${PN} += " \ + ${libdir}/systemd/user/*.service \ + ${libdir}/systemd/user/dbus.service.d/*.conf \ + ${libdir}/girepository-1.0 \ + ${datadir}/gir-1.0 \ + ${datadir}/dbus-1/services/*.service \ + ${datadir}/dbus-1/interfaces/*.xml \ +" + +FILES_${PN}-build = "${bindir}/flatpak-builder" + +FILES_${PN}-bash-completion = " \ + ${sysconfdir}/profile.d/flatpak.sh \ + ${datadir}/bash-completion/completions/flatpak \ +" + +FILES_${PN}-gdm = " \ + ${datadir}/gdm/env.d/flatpak.env \ +" + +do_configure_prepend() { + cd ${S} + NOCONFIGURE=1 ./autogen.sh + cd - +} + +BBCLASSEXTEND = "native" diff --git a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt index 871465700a..4cb486905d 100644 --- a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt +++ b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt @@ -92,6 +92,7 @@ file@core findutils@core fixesproto@core flac@core +flatpak@refkit-core flex@core font-util@core fontconfig@core @@ -158,6 +159,7 @@ iptables@core iputils@core iso-codes@core json-c@core +json-glib@core kbd@core kbproto@core keymaps@core From d9bdbb2ae72aec617ef5fda796c4daa8824dae6a Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Thu, 8 Jun 2017 20:32:22 +0300 Subject: [PATCH 11/24] gnupg1: added native-only gnupg1 for key generation/repo signing. Added a native-only recipe for gnupg1. We'll use this to generate keys and sign (ostree) repository commits during bitbake/image building in connection with ostree and flatpak repositories. While gnupg2 can be beaten to working obedience with hacks, it is somewhat of a PITA to use both in non-interactive batch mode and in the Yocto relocated native environment. Instead of dealing with those problems we generate/import signing keys and sign repository commits using gnupg1, and check signatures on client devices using gnupg2. Signed-off-by: Krisztian Litkey --- .../recipes-support/gnupg1/gnupg1_1.4.21.bb | 111 ++++++++++++++++++ .../include/refkit-supported-recipes.txt | 1 + 2 files changed, 112 insertions(+) create mode 100644 meta-refkit-core/recipes-support/gnupg1/gnupg1_1.4.21.bb diff --git a/meta-refkit-core/recipes-support/gnupg1/gnupg1_1.4.21.bb b/meta-refkit-core/recipes-support/gnupg1/gnupg1_1.4.21.bb new file mode 100644 index 0000000000..a995c32003 --- /dev/null +++ b/meta-refkit-core/recipes-support/gnupg1/gnupg1_1.4.21.bb @@ -0,0 +1,111 @@ +SUMMARY = "GNU Privacy Guard - encryption and signing tools" +HOMEPAGE = "http://www.gnupg.org/" +DEPENDS = "zlib bzip2 readline" +SECTION = "console/utils" + +LICENSE = "GPLv3" + +LIC_FILES_CHKSUM = "file://COPYING;md5=f27defe1e96c2e1ecd4e0c9be8967949" + +PR = "r9" + +SRC_URI = "${GNUPG_MIRROR}/gnupg/gnupg-${PV}.tar.bz2" + +SRC_URI[md5sum] = "9bdeabf3c0f87ff21cb3f9216efdd01d" +SRC_URI[sha256sum] = "6b47a3100c857dcab3c60e6152e56a997f2c7862c1b8b2b25adf3884a1ae2276" + +inherit autotools gettext texinfo + +S = "${WORKDIR}/gnupg-${PV}" + +# --with-egd-socket=NAME use NAME for the EGD socket +# --with-photo-viewer=FIXED_VIEWER set a fixed photo ID viewer +# --with-included-zlib use the zlib code included here +# --with-capabilities use linux capabilities default=no +# --with-mailprog=NAME use "NAME -t" for mail transport +# --with-libiconv-prefix[=DIR] search for libiconv in DIR/include and DIR/lib +# --without-libiconv-prefix don't search for libiconv in includedir and libdir +# --with-included-gettext use the GNU gettext library included here +# --with-libintl-prefix[=DIR] search for libintl in DIR/include and DIR/lib +# --without-libintl-prefix don't search for libintl in includedir and libdir +# --without-readline do not support fancy command line editing +# --with-included-regex use the included GNU regex library +# --with-zlib=DIR use libz in DIR +# --with-bzip2=DIR look for bzip2 in DIR +# --enable-static-rnd=egd|unix|linux|auto +# --disable-dev-random disable the use of dev random +# --disable-asm do not use assembler modules +# --enable-m-guard enable memory guard facility +# --enable-selinux-support +# enable SELinux support +# --disable-card-support disable OpenPGP card support +# --disable-gnupg-iconv disable the new iconv code +# --enable-backsigs enable the experimental backsigs code +# --enable-minimal build the smallest gpg binary possible +# --disable-rsa disable the RSA public key algorithm +# --disable-idea disable the IDEA cipher +# --disable-cast5 disable the CAST5 cipher +# --disable-blowfish disable the BLOWFISH cipher +# --disable-aes disable the AES, AES192, and AES256 ciphers +# --disable-twofish disable the TWOFISH cipher +# --disable-sha256 disable the SHA-256 digest +# --disable-sha512 disable the SHA-384 and SHA-512 digests +# --disable-bzip2 disable the BZIP2 compression algorithm +# --disable-exec disable all external program execution +# --disable-photo-viewers disable photo ID viewers +# --disable-keyserver-helpers disable all external keyserver support +# --disable-ldap disable LDAP keyserver interface +# --disable-hkp disable HKP keyserver interface +# --disable-http disable HTTP key fetching interface +# --disable-finger disable Finger key fetching interface +# --disable-mailto disable email keyserver interface +# --disable-keyserver-path disable the exec-path option for keyserver helpers +# --enable-key-cache=SIZE Set key cache to SIZE (default 4096) +# --disable-largefile omit support for large files +# --disable-dns-srv disable the use of DNS SRV in HKP and HTTP +# --disable-nls do not use Native Language Support +# --disable-regex do not handle regular expressions in trust sigs + +EXTRA_OECONF = "--disable-ldap \ + --with-zlib=${STAGING_LIBDIR}/.. \ + --with-bzip2=${STAGING_LIBDIR}/.. \ + --disable-selinux-support \ + --without-readline \ + ac_cv_sys_symbol_underscore=no \ + " + +do_configure_prepend_class-target() { + echo "ERROR: ##################################################" + echo "ERROR: This recipe is meant for class-native usage only" + echo "ERROR: to help key generation and signing." + echo "ERROR: Do not build a class target version of this." + echo "ERROR: Use gnupg version 2.x instead." + echo "ERROR: ##################################################" + exit 1 +} + + +do_configure_prepend () { + CFLAGS="$CFLAGS -fgnu89-inline" +} + +do_install () { + autotools_do_install + install -d ${D}${docdir}/${BPN} + mv ${D}${datadir}/gnupg/* ${D}/${docdir}/gnupg/ || : + mv ${D}${prefix}/doc/* ${D}/${docdir}/gnupg/ || : +} + +# split out gpgv from main package +RDEPENDS_${PN}_class-target = "gpgv" +PACKAGES =+ "gpgv" +FILES_gpgv = "${bindir}/gpgv" + +# Exclude debug files from the main packages +FILES_${PN} = "${bindir}/* ${datadir}/gnupg ${libexecdir}/gnupg/*" + +PACKAGECONFIG ??= "" +PACKAGECONFIG[curl] = "--with-libcurl=${STAGING_LIBDIR},--without-libcurl,curl" +PACKAGECONFIG[libusb] = "--with-libusb=${STAGING_LIBDIR},--without-libusb,libusb-compat" + +BBCLASSEXTEND = "native nativesdk" diff --git a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt index 4cb486905d..22d4a84329 100644 --- a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt +++ b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt @@ -121,6 +121,7 @@ gnome-desktop-testing@core gnu-config@core gnu-efi@core gnupg@core +gnupg1@refkit-core gnutls@core gobject-introspection@core gpgme@core From 1f142ae3bf740aa3933187df2d78bb961f93781c Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 6 Jun 2017 17:44:02 +0300 Subject: [PATCH 12/24] scripts: added gpg-keygen.sh. Added a script for generating GPG keys, primarily intended for generating signing keys for ostree/flatpak repositories. Signed-off-by: Krisztian Litkey --- meta-refkit-core/scripts/gpg-keygen.sh | 274 +++++++++++++++++++++++++ 1 file changed, 274 insertions(+) create mode 100755 meta-refkit-core/scripts/gpg-keygen.sh diff --git a/meta-refkit-core/scripts/gpg-keygen.sh b/meta-refkit-core/scripts/gpg-keygen.sh new file mode 100755 index 0000000000..1b22d2e029 --- /dev/null +++ b/meta-refkit-core/scripts/gpg-keygen.sh @@ -0,0 +1,274 @@ +#!/bin/bash + +# Print an informational message (currently unfiltered). +msg () { + echo "$*" +} + +# Print a fatal error message and exit. +fatal () { + echo "fatal error: $*" 2>1 + exit 1 +} + +# Print help on usage. +print_usage () { + if [ -n "$*" ]; then + echo "$*" + fi + + echo "usage: $0 -c config | -o output [ options ]" + echo "" + echo "Generate GPG signing keyring for our flatpak/OSTree repository and" + echo "export the generated public and secret keys from the keyring." + echo "" + echo "The possible options are:" + echo " --home GPG home directory for the keyring" + echo " --id key ID to check/generate" + echo " --pub public key file to produce/import" + echo " --sec secret key file to produce/import" + echo " --config use provided config, ignore other options" + echo " --type key type to generate" + echo " --length key length to use" + echo " --subkey-type subkey type to generate" + echo " --subkey-length subkey length to use" + echo " --name real name associated with the generated key" + echo " --gpg2 import keys to GPG2 keyring as well" + echo " --help show this help" + + if [ -n "$*" ]; then + exit 1 + else + exit 0 + fi +} + +# Parse the command line. +parse_command_line () { + while [ -n "$1" ]; do + case $1 in + --home|-H) + GPG_HOME="$2" + shift 2 + ;; + --id) + GPG_ID="$2" + shift 2 + ;; + --pub) + GPG_PUB="$2" + shift 2 + ;; + --sec) + GPG_SEC="$2" + shift 2 + ;; + --type|-T) + GPG_TYPE="$2" + shift 2 + ;; + --length|-L) + GPG_LENGTH="$2" + shift 2 + ;; + --subkey-type|-t) + GPG_SUBTYPE="$2" + shift 2 + ;; + --subkey-length|-l) + GPG_SUBLENGTH="$2" + shift 2 + ;; + --name|-n) + GPG_NAME="$2" + shift 2; + ;; + --config|-c) + GPG_CONFIG="$2" + shift 2 + ;; + --gpg2|-2) + GPG2_IMPORT="yes" + ;; + --help|-h) + print_usage + ;; + *) + print_usage "Invalid options/argument $1" + ;; + esac + done + + if [ -z "$GPG_HOME" ]; then + GPG_HOME="~/.gnupg" + fi + + if [ -z "$GPG_ID" ]; then + fatal "missing key ID (--id)" + fi + + if [ -z "$GPG_PUB" ]; then + GPG_PUB="$GPG_HOME/$GPG_ID.pub" + fi + + if [ -z "$GPG_SEC" ]; then + GPG_SEC="$GPG_HOME/$GPG_ID.sec" + fi + + if [ -z "$GPG_NAME" ]; then + GPG_NAME="Signing Key" + fi + + msg "GPG key generation configuration:" + msg " home: $GPG_HOME" + msg " key ID: $GPG_ID" + msg " public key: $GPG_PUB" + msg " public key: $GPG_SEC" + msg " name: $GPG_NAME" +} + +# Check and create GPG home directory if necessary. +gpg1_chkhome () +{ + if [ ! -d $GPG_HOME ]; then + mkdir -p $GPG_HOME + chmod og-rwx $GPG_HOME + else + chmod og-rwx $GPG_HOME + fi +} + +# Check if the requested keys are already in the keyring. +gpg1_chkkeyrings () +{ + if $GPG1 --list-keys | grep -q -e "<$GPG_ID>" && \ + $GPG1 --list-secret-keys | grep -q -e "<$GPG_ID>"; then + return 0 + else + return 1 + fi +} + +# Check if the requested keys already exist. +gpg1_chkkeys () +{ + if [ ! -e $GPG_PUB -o ! -e $GPG_SEC ]; then + msg "* Key files $GPG_PUB/$GPG_SEC not found..." + rm -f $GPG_PUB $GPG_SEC + if gpg1_chkkeyrings; then + msg "* Keys ($GPG_ID) already in keyrings, exporting..." + $GPG1 --export --output $GPG_PUB $GPG_ID + $GPG1 --export-secret-keys --output $GPG_SEC $GPG_ID + else + return 1 + fi + else + if ! gpg1_chkkeyrings; then + msg "* Importing keys $GPG_SEC, $GPG_PUB..." + $GPG1 --import $GPG_PUB + $GPG1 --import $GPG_SEC + fi + fi +} + +# Generate GPG --batch mode key generation configuration file (unless given). +gpg1_mkconfig () { + if [ -n "$GPG_CONFIG" ]; then + if [ ! -f "$GPG_CONFIG" ]; then + fatal "Missing GPG key configuration $GPG_CONFIG." + fi + msg "* Using provided GPG key configuration: $GPG_CONFIG" + else + GPG_CONFIG="$GPG_HOME/$GPG_ID.cfg" + + msg "* Generating GPG key configuration $GPG_CONFIG..." + + (echo "%echo Generating GPG signing keys ($GPG_PUB, $GPG_SEC)..." + echo "Key-Type: $GPG_TYPE" + echo "Key-Length: $GPG_LENGTH" + echo "Subkey-Type: $GPG_SUBTYPE" + echo "Subkey-Length: $GPG_SUBLENGTH" + echo "Name-Real: $GPG_NAME" + echo "Name-Email: $GPG_ID" + echo "Expire-Date: 0" + echo "%pubring $GPG_PUB" + echo "%secring $GPG_SEC" + echo "%commit" + echo "%echo done") > $GPG_CONFIG + fi +} + +# Generate GPG1 keys and keyring. +gpg1_genkeys () { + msg "* Generating GPG1 keys and keyring..." + + $GPG1 --batch --gen-key $GPG_CONFIG + $GPG1 --import $GPG_SEC + $GPG1 --import $GPG_PUB +} + +# Mark all keys trusted in our keyring. +gpg1_trustkeys () { + local _trustdb=$GPG_HOME/gpg.trustdb _fp + + # + # This is a bit iffy... we misuse a supposedly private + # GPG API (the trust DB format). + # + + msg "* Marking keys trusted in keyring..." + + $GPG1 --export-ownertrust > $_trustdb + + # Note: we might end up with duplicates but that's ok... + for _fp in $($GPG1 --fingerprint | \ + grep " fingerprint = " | sed 's/^.* = //g;s/ //g'); do + echo $_fp:6: >> $_trustdb + done + + $GPG1 --import-ownertrust < $_trustdb + rm -f $_trustdb +} + +# Import keys to GPG2 keyring. +gpg2_import () { + if [ "$GPG2_IMPORT" = "yes" ]; then + msg "* Importing keys to GPG2 keyring..." + $GPG1 --export-secret-keys | $GPG2 --import + else + msg "* GPG2 import not requested, skipping..." + fi +} + + +######################### +# main script + +GPG_HOME="" +GPG_ID="" +GPG_PUB="" +GPG_SEC="" +GPG_TYPE="DSA" +GPG_LENGTH="2048" +GPG_SUBTYPE="ELG-E" +GPG_SUBLENGTH="2048" +GPG_NAME="" +GPG_CONFIG="" +GPG2_IMPORT="" + +parse_command_line $* + +set -e + +GPG1="gpg --homedir=$GPG_HOME" +GPG2="gpg2 --homedir=$GPG_HOME" + +gpg1_chkhome + +if ! gpg1_chkkeys; then + gpg1_mkconfig + gpg1_genkeys + gpg1_trustkeys +fi + +gpg2_import From fe7d167830fe4f324e49c73a58384dfe71dfb6fa Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Mon, 12 Jun 2017 19:30:25 +0300 Subject: [PATCH 13/24] refkit-signing-keys.bbclass: added class for key generation/import. Added a class for generating or importing signing keys using GPG. Currently we use this to generate signing keys for flatpak ostree repositories. Signed-off-by: Krisztian Litkey --- .../classes/refkit-signing-keys.bbclass | 84 +++++++++++++++++++ 1 file changed, 84 insertions(+) create mode 100644 meta-refkit-core/classes/refkit-signing-keys.bbclass diff --git a/meta-refkit-core/classes/refkit-signing-keys.bbclass b/meta-refkit-core/classes/refkit-signing-keys.bbclass new file mode 100644 index 0000000000..19a6245c49 --- /dev/null +++ b/meta-refkit-core/classes/refkit-signing-keys.bbclass @@ -0,0 +1,84 @@ +# +# This class can be used to generate (or import) a set of signing keys, +# for whatever purpose the build might need those. Once such purpose is +# the signing of base OS and flatpak ostree repositories. +# +# To make sure all the necessary keys get generated list them in your +# local.conf (or some other global configuration file) by setting +# REFKIT_SIGNING_KEYS to necessary key IDs. + +# Signing keys to generate, a list of key IDs. +REFKIT_SIGNING_KEYS ?= "" + +# This is where we put our GPG homedir, export keys to, etc. +REFKIT_SIGNING_GPGDIR ?= "${TMPDIR}/gnupg" + +# How long we let two parallel key generation tasks clash. +REFKIT_SIGNING_TIMEOUT ?= "60" + +# task to generate/check all requested signing keys +fakeroot do_generate_signing_keys () { + # Bail out early if we have no keys to generate. + if [ -z "${REFKIT_SIGNING_KEYS}" -o -z "${REFKIT_SIGNING_GPGDIR}" ]; then + echo "No GPG key IDs or directory set, nothing to do..." + return 0 + fi + + # When building several images in parallel (e.g. in CI), we have to + # make sure we don't let two tasks start generating the same signing + # key into the keyring. While GPG itself seems to semi-gracefully + # survive a keyring with duplicate key ids, gpgme (or maybe just ostree, + # I did not bother checking it) segfaults in such a case. + # Therefore, we have this unholy kludge where we use mkdir(2) as a + # lock, and let the task getting there first do the deed, while the + # second one just waits for the first to finish (and consequently causes + # its own dependent tasks to properly wait for the keys to get generated). + # Yuck... + + dir="${REFKIT_SIGNING_GPGDIR}" + mkdir -p "${dir%/*}" + mkdir "${dir}.lock" || { # Forgive me Thompson&Dijkstra, for I have sinned... + slept=0 + for id in ${REFKIT_SIGNING_KEYS}; do + while [ $slept -lt ${REFKIT_SIGNING_TIMEOUT} ]; do + if [ ! -e ${dir}/$id.sec ]; then + echo "Waiting for generation of signing key $id..." + sleep 1 + let slept=$slept+1 + else + echo "Got signing key $id..." + break + fi + done + done + if [ $slept -ge ${REFKIT_SIGNING_TIMEOUT} ]; then + echo "Signing key generation timed out..." + return 1 + else + return 0 + fi + } + + dir="${REFKIT_SIGNING_GPGDIR}" + for id in ${REFKIT_SIGNING_KEYS}; do + pubkey="$dir/$id.pub" + seckey="$dir/$id.sec" + + # Generate repository signing GPG keys, if we don't have them yet. + echo "Generating/checking signing key $id..." + + ${FLATPAKBASE}/scripts/gpg-keygen.sh \ + --home $dir \ + --id $id \ + --pub $pubkey \ + --sec $seckey + done + + rmdir "${dir}.lock" +} + +do_generate_signing_keys[depends] += " \ + gnupg1-native:do_populate_sysroot \ +" + +addtask generate_signing_keys before do_rootfs From 46af4859fadef24558028c32bed4126be176e539 Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 6 Jun 2017 17:47:06 +0300 Subject: [PATCH 14/24] scripts: added script for generating a flatpak repostory. Added a workhorse script for generating/populating a primary flatpak repository for an image. The script can also replicate this repository to another archive-z2 repository which can then be exposed over HTTP for consumption by flatpak clients. This will be necessary for building flatpaks for/against a flatpak-enabled refkit image. Signed-off-by: Krisztian Litkey --- .../scripts/flatpak-populate-repo.sh | 365 ++++++++++++++++++ 1 file changed, 365 insertions(+) create mode 100755 meta-refkit-core/scripts/flatpak-populate-repo.sh diff --git a/meta-refkit-core/scripts/flatpak-populate-repo.sh b/meta-refkit-core/scripts/flatpak-populate-repo.sh new file mode 100755 index 0000000000..618c7b2883 --- /dev/null +++ b/meta-refkit-core/scripts/flatpak-populate-repo.sh @@ -0,0 +1,365 @@ +#!/bin/bash + + +# Print an informational message an exit (currently unconditionally). +msg () { + echo "$*" +} + +# Print a fatal error message and exit. +fatal () { + echo "fatal error: $*" + exit 1 +} + +# Print help on usage. +print_usage () { + if [ -n "$*" ]; then + echo "$*" + fi + + echo "usage: $0 [options]" + echo "" + echo "Take a runtime or SDK image sysroot directory and commit it into a" + echo "flatpak/OSTree repository. If the repository does not exist by" + echo "default it is created in archive-z2 mode. Such a repository is" + echo "suitable to be exported over HTTP/HTTPS for flatpak clients to fetch" + echo "fetch runtime/SDK images and flatpak application from." + echo "archive-z2 format, suitable to be exported over HTTP for clients to" + echo "fetch data from." + echo "" + echo "The other possible options are:" + echo " --repo-path path to flatpak repository to populate" + echo " --repo-mode repository mode [bare-user]" + echo " --repo-export export the image also to archive-z2 " + echo " --gpg-home GPG home directory for keyring" + echo " --gpg-id GPG key id to use for signing" + echo " --branches branches to commit/export to repository" + echo " --image-sysroot image sysroot directory" + echo " --tmpdir temporary directory to use" + echo " --subject commit subject message" + echo " --body commit body message" + echo " --image-libs provided image library file" + echo " --help print this help and exit" + + if [ -n "$*" ]; then + exit 1 + else + exit 0 + fi +} + +# Parse the command line. +parse_command_line () { + while [ -n "$1" ]; do + case $1 in + --repo-path|--repo|-r) + REPO_PATH=$2 + shift 2 + ;; + --repo-mode) + REPO_MODE=$2 + shift 2 + ;; + + --repo-export|--export|-e) + REPO_EXPORT=$2 + shift 2 + ;; + + --gpg-home|--gpg-homedir) + GPG_HOME=$2 + shift 2 + ;; + + --gpg-id) + GPG_ID=$2 + shift 2 + ;; + + --branches) + REPO_BRANCHES="$2" + shift 2 + ;; + + --image-sysroot|--image) + IMAGE_SYSROOT=$2 + shift 2 + ;; + + --tmp-dir|--tmp) + TMPDIR=$2 + shift 2 + ;; + + --subject) + COMMIT_SUBJECT="$2" + shift 2 + ;; + + --body) + COMMIT_BODY="$2" + shift 2 + ;; + + --image-libs|--libs) + LIBRARIES=$2 + shift 2 + ;; + + --help|-h) + print_usage + exit 0 + ;; + + *) + print_usage "Unknown command line option/argument $1." + ;; + esac + done + + if [ -z "$REPO_PATH" ]; then + print_usage "missing repository path (--repo-path)" + fi + + if [ ! -e "$REPO_PATH" -a -z "$IMAGE_SYSROOT" ]; then + print_usage "missing image sysroot (--image-sysroot)" + fi + + if [ ! -d $REPO_PATH -a -z "$REPO_BRANCHES" ]; then + print_usage "missing branches (--branches)" + fi + + if [ -z "$TMPDIR" ]; then + TMPDIR="$IMAGE_SYSROOT.flatpak-tmp.$$" + else + TMPDIR="$TMPDIR/flatpak-tmp.$$" + fi + + FLATPAK_SYSROOT=$TMPDIR/flatpak-sysroot + METADATA=$FLATPAK_SYSROOT/metadata +} + +# Create image metadata file for the repository. +metadata_generate () { + local _platform + local _sdk + + msg "* Generating metadata file ($METADATA)..." + + _platform="${REPO_BRANCHES%%,*}" + _sdk="${_platform/BasePlatform/BaseSdk}" + + (echo "[Runtime]" + echo "name=$_platform" + echo "runtime=$_platform" + echo "sdk=$_sdk") > $METADATA +} + +# Populate temporary sysroot with flatpak-translated path names. +sysroot_populate () { + msg "* Creating flatpak sysroot ($FLATPAK_SYSROOT) from $IMAGE_SYSROOT..." + + mkdir -p $FLATPAK_SYSROOT + bsdtar -C $IMAGE_SYSROOT -cf - ./usr ./etc | \ + bsdtar -C $FLATPAK_SYSROOT \ + -s ":^./usr:./files:S" \ + -s ":^./etc:./files/etc:S" \ + -xvf - +} + +# Clean up temporary sysroot. +sysroot_cleanup () { + msg "* Cleaning up $TMPDIR, $FLATPAK_SYSROOT..." + rm -rf $TMPDIR +} + +# Initialize flatpak/OSTree repository, if necessary. +repo_create () { + local _path="$1" + local _mode="${2:-bare-user}" + + if [ -d $_path ]; then + if [ -f $_path/config -a grep -q $_mode $_path/config ]; then + msg "* Using existing $_mode repository $_path..." + return 0 + fi + + fatal "Existing repository $_path is not a $_mode repo." + fi + + msg "* Creating $_mode repository $_path..." + + mkdir -p $_path + ostree --repo=$_path init --mode=$_mode +} + +# Populate the repository. +repo_populate () { + local _b _ref _content + + # OSTree can't handle files with no read permission + msg "* Fixup permissions for OSTree..." + find $FLATPAK_SYSROOT -type f -exec chmod u+r {} \; + + IMAGE_VERSION=$(cat $IMAGE_SYSROOT/etc/version) + if [ -z "$COMMIT_SUBJECT" ]; then + COMMIT_SUBJECT="Commit of image $IMAGE_VERSION." + fi + + #IMAGE_BUILD="$(cat $IMAGE_SYSROOT/etc/build)" + if [ -z "$COMMIT_BODY" ]; then + COMMIT_BODY="Commit of image $IMAGE_VERSION." + fi + + _ref="" + for _b in ${REPO_BRANCHES//,/ }; do + if [ -z "$_ref" ]; then + msg "* Committing base/canonical branch $_b..." + _content="$FLATPAK_SYSROOT" + _ref=$_b + else + msg "* Committing additional branch $_b..." + _content="--tree=ref=$_ref" + fi + + ostree --repo=$REPO_PATH commit \ + $GPG_SIGN \ + --owner-uid=0 --owner-gid=0 --no-xattrs \ + --subject "$COMMIT_SUBJECT" \ + --body "$COMMIT_BODY" \ + --branch=$_b $_content + + msg "* Updating repository summary..." + ostree --repo=$REPO_PATH summary -u $GPG_SIGN + done +} + +# Mirror the branch we created to our export repository. +repo_export () { + local _from="$1" + local _to="${2:-$_from.archive-z2}" + local _ref + + for _ref in $(ostree --repo=$_from refs); do + msg "* Exporting branch $_ref to $_to..." + ostree --repo=$_to pull-local $_from $_ref + ostree --repo=$_to summary -u $GPG_SIGN + done + + repo_apache_config $_to +} + +# Generate and HTTP configuration fragment for the exported repository. +repo_apache_config () { + local _path=$1 + local _alias + + cd $_path && _path=$(pwd) && cd - >& /dev/null + _alias="/flatpak/" # this is not good enough... + + msg "* Generating apache2 config fragment for $_path..." + (echo "Alias \"$_alias\" \"$_path/\"" + echo "" + echo "" + echo " Options Indexes FollowSymLinks" + echo " Require all granted" + echo "") > $_path.http.conf +} + +# Generate list of libraries provided by the image. +generate_lib_list () { + [ -z "$LIBRARIES" ] && return 0 + + msg "* Generating list of provided libraries..." + (cd $IMAGE_SYSROOT; find . -type f -name lib\*.so.\*) | \ + sed 's#^\./#/#g' > $LIBRARIES +} + +# Fixup gpg2 relocation related overall crapness. +gpg2_kludgeup () { + local _expected _real + + if [ -z "$GPG_HOME" ]; then + return 0 + fi + + _expected=$(gpgconf | grep ^gpg: | cut -d ':' -f 3) + _real=$(which gpg2) + + if [ -n "$_expected" -a -n "$_real" -a "$_expected" != "$_real" ]; then + msg "Temporarily symlinking gpg2 binary to expected location..." + ln -s $_real $_expected + fi +} + +# Undo gpg2 relocation kludge +gpg2_cleanup () { + local _expected _real + + if [ -z "$GPG_HOME" ]; then + return 0 + fi + + _expected=$(gpgconf | grep ^gpg: | cut -d ':' -f 3) + _real=$(which gpg2) + + if [ -n "$_expected" -a -n "$_real" -a "$_expected" != "$_real" ]; then + msg "* Removing gpg2 kludge symlink..." + rm -f $_expected + fi +} + +######################### +# main script + +REPO_PATH="" +REPO_MODE="" +REPO_EXPORT="" +IMAGE_SYSROOT="" +TMPDIR="" +REPO_BRANCHES="" +GPG_HOME="" +GPG_ID="" + +parse_command_line $* + +msg "Flatpak repository population/exporting:" +msg " image repo: $REPO_PATH" +msg " image sysroot: ${IMAGE_SYSROOT:-none}" +msg " temporary dir: $TMPDIR" +msg " library list: $LIBRARIES" +msg " export repo: $REPO_EXPORT" +msg " branches: ${REPO_BRANCHES//,/ }" +msg " commit subject: $COMMIT_SUBJECT" +msg " commit body: $COMMIT_BODY" +msg " GPG home: ${GPG_HOME:-none}" +msg " GPG signing id: ${GPG_ID:-none}" + +set -e + +if [ -n "$GPG_ID" ]; then + GPG_SIGN="--gpg-homedir=${GPG_HOME:-~/.gnupg} --gpg-sign=$GPG_ID" +else + GPG_SIGN="" +fi + +# gpg2_kludgeup + +if [ ! -e $REPO_PATH ]; then + repo_create $REPO_PATH $REPO_MODE + sysroot_populate + metadata_generate + repo_populate + sysroot_cleanup +fi + +if [ -n "$REPO_EXPORT" ]; then + if [ ! -d $REPO_EXPORT ]; then + repo_create $REPO_EXPORT archive-z2 + fi + + repo_export $REPO_PATH $REPO_EXPORT +fi + +# gpg2_cleanup From dc187677a33677dabec0ae812a3e7c56eaeb95ab Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 6 Jun 2017 19:49:41 +0300 Subject: [PATCH 15/24] packagegroups: added flatpak packagegroup. Added basic flatpak packagegroup. Only pulls in flatpak with its dependencies. We'll add another dedicated one (probably along with a dedicated DISTRO_FEATURE) for flatpak-session. Signed-off-by: Krisztian Litkey --- .../recipes-core/packagegroups/packagegroup-flatpak.bb | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 meta-refkit-core/recipes-core/packagegroups/packagegroup-flatpak.bb diff --git a/meta-refkit-core/recipes-core/packagegroups/packagegroup-flatpak.bb b/meta-refkit-core/recipes-core/packagegroups/packagegroup-flatpak.bb new file mode 100644 index 0000000000..1df678af5b --- /dev/null +++ b/meta-refkit-core/recipes-core/packagegroups/packagegroup-flatpak.bb @@ -0,0 +1,8 @@ +SUMMARY = "IoT Reference OS Kit Basic Flatpak Support" +LICENSE = "MIT" + +inherit packagegroup + +RDEPENDS_${PN} = "\ + flatpak \ +" From cf31d68171c5ef1481b4d7bbf16b0b2fb6b01acb Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Mon, 12 Jun 2017 23:21:50 +0300 Subject: [PATCH 16/24] flatpak-*.bbclass: iadded flatpak image and repository support classes. Added three classes for supporting building flatpak-enabled images, and creating/publishing repositories with flatpak platform and SDK runtimes for such images. flatpak-config.bbclass contains the flatpak-related bitbake/configuration variables. It is separated to a class of its own because we'll probably need to inherit it in a recipe which will support pre-populating an image with pre-declared flatpak application repositories. flatpak-image-variants.bbclass declares two image variants: flatpak- runtime and flatpak-sdk. flatpak-runtime is our flatpak-enabled runtime image variant. It is supposed to get flashed to client devices that need flatpak support. flatpak-sdk is a corresponding image which we use to populate a flatpak repository with a flatpak SDK runtime which can then be used to compile/generate flatpaks for the flatpak-runtime variant. flatpak-repository.bbclass takes care of the details of populating and exporting flatpak repositories with images. Signed-off-by: Krisztian Litkey --- .../classes/flatpak-config.bbclass | 36 +++++ .../classes/flatpak-image-variants.bbclass | 39 ++++++ .../classes/flatpak-repository.bbclass | 132 ++++++++++++++++++ 3 files changed, 207 insertions(+) create mode 100644 meta-refkit-core/classes/flatpak-config.bbclass create mode 100644 meta-refkit-core/classes/flatpak-image-variants.bbclass create mode 100644 meta-refkit-core/classes/flatpak-repository.bbclass diff --git a/meta-refkit-core/classes/flatpak-config.bbclass b/meta-refkit-core/classes/flatpak-config.bbclass new file mode 100644 index 0000000000..d2258b3376 --- /dev/null +++ b/meta-refkit-core/classes/flatpak-config.bbclass @@ -0,0 +1,36 @@ +# We expect to find our scripts here, in the scripts subdirectory. +FLATPAKBASE = "${META_REFKIT_CORE_BASE}" + +# This is a per-build per-image primary bare-user flatpak repository. +FLATPAK_REPO = "${WORKDIR}/flatpak.bare-user" + +# This is an archive-z2 repository where we export our builds for testing. +# This can be exposed over HTTP for consumption by flatpak. Among other +# things, this can be used to pull in the generated BaseSdk and BasePlatform +# repository branches to a development host for building flatpak applications +# against the corresponding flatpak-enabled image. Set this to empty if you +# don't want to automatically publish to such a repository. +FLATPAK_EXPORT ?= "${TMPDIR}/flatpak.archive-z2" + +# We use the domain and the (canonical) branch together with ${MACHINE} to +# construct the full flatpak REFs of our base and SDK runtimes. The full REF +# is considered the canonical branch and is constructed as: +# +# runtime/${FLATPAK_DOMAIN}.Base{Platform,Sdk}/${MACHINE}/${FLATPAK_BRANCH} +# +# Optionally we publish builds as two additional branches: +# +# - an optional rolling 'latest' corresponding to the last build +# - an optional rolling 'build' tagged with the ${BUILD_ID} +# +# Setting the corresponding variables for the optional branches to empty +# disables publishing/creating those branches. +FLATPAK_DOMAIN ?= "example.org" +FLATPAK_BASE ?= "${@d.getVar('PN').split('-flatpak-')[0]}" +FLATPAK_BRANCH ?= "${DISTRO}/${FLATPAK_BASE}/${DISTRO_VERSION}" +FLATPAK_LATEST ?= "${DISTRO}/${FLATPAK_BASE}/latest" +FLATPAK_BUILD ?= "${DISTRO}/${FLATPAK_BASE}/build/${BUILD_ID}" + +# This is the GPG key id of our repository signing key. If you set this to +# empty, signing is disabled altogether. +FLATPAK_GPGID ?= "refkit-signing@key" diff --git a/meta-refkit-core/classes/flatpak-image-variants.bbclass b/meta-refkit-core/classes/flatpak-image-variants.bbclass new file mode 100644 index 0000000000..153088e78a --- /dev/null +++ b/meta-refkit-core/classes/flatpak-image-variants.bbclass @@ -0,0 +1,39 @@ +IMAGE_FEATURES[validitems] += " \ + flatpak \ + tools-sdk \ + dev-pkgs \ + tools-debug \ + tools-profile \ +" + +FEATURE_PACKAGES_flatpak = " \ + packagegroup-flatpak \ +" + +# +# Define two flatpak-related image variants. +# +# - flatpak runtime image variant 'flatpak-runtime': +# This variant corresponds to a flatpak BasePlatform runtime. In +# addition to the content of its base image, this variant has the +# necessary runtime bits for flatpak. Using this image on a device +# enables one to pull in, update and run applications as flatpaks +# from flatpak remotes/repositories. +# +# - flatpak SDK image variant 'flatpak-sdk': +# This variant corresponds to a flatpak BaseSdk runtime. It has the +# necessary bits for compiling applications and publishing them as +# flatpaks in flatpak repositories. +# +# When building these images variants, a flatpak repository will also be +# populated with the contents of these images. This repository can be used +# to flatpak-install the runtime and SDK runtimes on a development machine +# for generating flatpaks for the flatpak-runtime image variant. + +# 'flatpak-runtime' variant (runtime image for a device) +IMAGE_VARIANT[flatpak-runtime] = "flatpak" + +# 'flatpak-sdk' variant (SDK image for a development host) +IMAGE_VARIANT[flatpak-sdk] = "flatpak tools-develop tools-debug dev-pkgs" + +BBCLASSEXTEND += "imagevariant:flatpak-runtime imagevariant:flatpak-sdk" diff --git a/meta-refkit-core/classes/flatpak-repository.bbclass b/meta-refkit-core/classes/flatpak-repository.bbclass new file mode 100644 index 0000000000..da44562594 --- /dev/null +++ b/meta-refkit-core/classes/flatpak-repository.bbclass @@ -0,0 +1,132 @@ +# Check we have the necessary distro features enabled. +inherit distro_features_check +REQUIRED_DISTRO_FEATURES_append = " usrmerge systemd pam" + +inherit flatpak-config + +REFKIT_SIGNING_KEYS += "${FLATPAK_GPGID}" +inherit refkit-signing-keys + +# +# Create and populate a primary flatpak repository from/for an image. +# +fakeroot do_flatpak_populate_repository () { + echo "Flatpak repository population:" + echo " * FLATPAKBASE: ${FLATPAKBASE}" + echo " * IMAGE_BASENAME: ${IMAGE_BASENAME}" + + # Bail out early if flatpak is not enabled for this image. + case ${IMAGE_BASENAME} in + *-flatpak-runtime) RUNTIME_TYPE=BasePlatform;; + *-flatpak-sdk) RUNTIME_TYPE=BaseSdk;; + *) + echo "${IMAGE_BASENAME} is not a flatpak-enabled image..." + return 0 + ;; + esac + + echo "${IMAGE_BASENAME} is a flatpak $RUNTIME_TYPE image" + + if [ -n "${FLATPAK_GPGID}" ]; then + GPG_SIGN="--gpg-home ${REFKIT_SIGNING_GPGDIR} \ + --gpg-id ${FLATPAK_GPGID}" + else + GPG_SIGN="" + fi + + _base="runtime/${FLATPAK_DOMAIN}.$RUNTIME_TYPE/${MACHINE}" + _t="" + for _b in ${FLATPAK_BRANCH} ${FLATPAK_LATEST} ${FLATPAK_BUILD}; do + BRANCHES="$BRANCHES$_t$_base/$_b" + _t="," + done + + echo "Using flatpak branches $BRANCHES for ${IMAGE_ROOTFS}..." + + # Generate/populate flatpak/OSTree repository + ${FLATPAKBASE}/scripts/flatpak-populate-repo.sh \ + --repo-path ${FLATPAK_REPO} \ + --repo-mode bare-user \ + $GPG_SIGN \ + --branches "$BRANCHES" \ + --image-sysroot ${IMAGE_ROOTFS} \ + --tmp-dir ${TMPDIR} +} + +do_flatpak_populate_repository[depends] += " \ + ostree-native:do_populate_sysroot \ + flatpak-native:do_populate_sysroot \ + gnupg1-native:do_populate_sysroot \ +" + +do_flatpak_populate_repository[vardeps] += " \ + FLATPAK_REPO \ + FLATPAK_EXPORT \ + FLATPAK_DOMAIN \ + FLATPAK_BRANCH \ + FLATPAK_LATEST \ + FLATPAK_BUILD \ + FLATPAK_GPGID \ +" + +# +# Export an image (well the bare-user repo, really) to an archive-z2 repo. +# +fakeroot do_flatpak_export_repository () { + # Bail out early if no export repository is defined. + if [ -z "${FLATPAK_EXPORT}" ]; then + echo "Flatpak repository for export not specified, skip export..." + return 0 + fi + + # Bail out early if flatpak is not enabled for this image. + case ${IMAGE_BASENAME} in + *-flatpak-runtime) RUNTIME_TYPE=BasePlatform;; + *-flatpak-sdk) RUNTIME_TYPE=BaseSdk;; + *) + echo "${IMAGE_BASENAME} is not a flatpak-enabled image..." + return 0 + ;; + esac + + echo "${IMAGE_BASENAME} is a flatpak $RUNTIME_TYPE image" + + if [ -n "${FLATPAK_GPGID}" ]; then + GPG_SIGN="--gpg-home ${REFKIT_SIGNING_GPGDIR} \ + --gpg-id ${FLATPAK_GPGID}" + else + GPG_SIGN="" + fi + + # Export to archive-z2 flatpak/OSTree repository + ${FLATPAKBASE}/scripts/flatpak-populate-repo.sh \ + --repo-path ${FLATPAK_REPO} \ + --repo-export ${FLATPAK_EXPORT} \ + $GPG_SIGN \ + --tmp-dir ${TMPDIR} +} + +do_flatpak_export_repository[depends] += " \ + ostree-native:do_populate_sysroot \ + flatpak-native:do_populate_sysroot \ + gnupg1-native:do_populate_sysroot \ +" + +do_flatpak_export_repository[vardeps] += " \ + FLATPAK_REPO \ + FLATPAK_EXPORT \ + FLATPAK_DOMAIN \ + FLATPAK_BRANCH \ + FLATPAK_LATEST \ + FLATPAK_BUILD \ + FLATPAK_GPGID \ +" + +addtask flatpak_populate_repository \ + after do_rootfs \ + before do_image_complete + +addtask flatpak_export_repository \ + after do_flatpak_populate_repository \ + before do_image_complete + From 78f704352636bb64480722e88b71afa074d84b9f Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 13 Jun 2017 21:21:54 +0300 Subject: [PATCH 17/24] flatpak.inc: added config fragment for enabling flatpak support. If included/required, enable DISTRO_FEATURES (usrmerge, pam, flatpak) necessary for basic flatpak support, and set user-session PACKAGECONFIG for D-Bus. Signed-off-by: Krisztian Litkey --- meta-refkit-core/conf/distro/include/flatpak.inc | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 meta-refkit-core/conf/distro/include/flatpak.inc diff --git a/meta-refkit-core/conf/distro/include/flatpak.inc b/meta-refkit-core/conf/distro/include/flatpak.inc new file mode 100644 index 0000000000..34bd86673d --- /dev/null +++ b/meta-refkit-core/conf/distro/include/flatpak.inc @@ -0,0 +1,8 @@ +REFKIT_DEFAULT_DISTRO_FEATURES += " \ + usrmerge \ + pam \ + flatpak \ +" + +# Enable D-Bus session bus support, needed by flatpak. +PACKAGECONFIG_append_pn-dbus_refkit-config = " user-session" From 0ca4b3da67f68e8ac24049c0fd7328efbc12e0d5 Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Mon, 12 Jun 2017 23:23:42 +0300 Subject: [PATCH 18/24] refkit-image.bbclass: flatpak-enabled images, enable flatpak repo support. If flatpak DISTRO_FEATURE is on inherit flatpak-image-variant and flatpak-repository to enable building flatpak-enabled images and generating corresponding flatpak repositories. Signed-off-by: Krisztian Litkey --- meta-refkit-core/classes/refkit-image.bbclass | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/meta-refkit-core/classes/refkit-image.bbclass b/meta-refkit-core/classes/refkit-image.bbclass index 340c19ce24..ed5643086e 100644 --- a/meta-refkit-core/classes/refkit-image.bbclass +++ b/meta-refkit-core/classes/refkit-image.bbclass @@ -256,6 +256,12 @@ IMAGE_MODE_VALID = "${@ d.getVar('REFKIT_IMAGE_MODE_VALID') or '' }" # variants of variants. inherit image-mode-variants +# Enable flatpak image variant and repository generation. +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'flatpak', \ + 'flatpak-image-variants', '', d)} +inherit ${@bb.utils.contains('DISTRO_FEATURES', 'flatpak', \ + 'flatpak-repository', '', d)} + BUILD_ID ?= "${DATETIME}" # Do not re-trigger builds just because ${DATETIME} changed. BUILD_ID[vardepsexclude] += "DATETIME" From c4f93445f4aacec27021b4a757a8871212850421 Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 13 Jun 2017 14:19:55 +0300 Subject: [PATCH 19/24] flatpak-image-runtime.bb,packagegroups: added recipes for fake runtime. Added a recipe for flatpak-image-runtime, a simple systemd service which emulates a flatpak runtime for the currently running image using a bunch of read-only bind mounts. Also added the recipe to the flatpak packagegroup and declared it as a supported recipe. Signed-off-by: Krisztian Litkey --- .../packagegroups/packagegroup-flatpak.bb | 1 + .../flatpak-image-runtime_git.bb | 43 +++++++++++++++++++ .../include/refkit-supported-recipes.txt | 1 + 3 files changed, 45 insertions(+) create mode 100644 meta-refkit-core/recipes-flatpak/flatpak-image-runtime/flatpak-image-runtime_git.bb diff --git a/meta-refkit-core/recipes-core/packagegroups/packagegroup-flatpak.bb b/meta-refkit-core/recipes-core/packagegroups/packagegroup-flatpak.bb index 1df678af5b..abe86784c3 100644 --- a/meta-refkit-core/recipes-core/packagegroups/packagegroup-flatpak.bb +++ b/meta-refkit-core/recipes-core/packagegroups/packagegroup-flatpak.bb @@ -5,4 +5,5 @@ inherit packagegroup RDEPENDS_${PN} = "\ flatpak \ + flatpak-image-runtime \ " diff --git a/meta-refkit-core/recipes-flatpak/flatpak-image-runtime/flatpak-image-runtime_git.bb b/meta-refkit-core/recipes-flatpak/flatpak-image-runtime/flatpak-image-runtime_git.bb new file mode 100644 index 0000000000..3bf14ccf7d --- /dev/null +++ b/meta-refkit-core/recipes-flatpak/flatpak-image-runtime/flatpak-image-runtime_git.bb @@ -0,0 +1,43 @@ +SUMMARY = "A systemd service to set up a fake flatpak runtime for the image." +DESCRIPTION = "This package provides a systemd service that fakes a flatpak \ +runtime for the currently running image, using read-only bind mounts." +HOMEPAGE = "https://github.com/klihub/flatpak-image-runtime" +SECTION = "misc" + +LICENSE = "BSD-3-Clause" +LIC_FILES_CHKSUM = "file://LICENSE-BSD;md5=f9f435c1bd3a753365e799edf375fc42" + +SRC_URI = " \ + git://git@github.com/klihub/flatpak-image-runtime.git;protocol=http;branch=master \ +" + +SRCREV = "8f563cfcc07a9f9d7cdcf0319cffda6d23745303" + +DEPENDS = "systemd" + +inherit autotools pkgconfig systemd flatpak-config + +S = "${WORKDIR}/git" + +FILES_${PN} = " \ + ${datadir}/flatpak-image-runtime \ + ${systemd_unitdir}/system/flatpak-image-runtime.service \ +" + +SYSTEMD_SERVICE_${PN} = " \ + flatpak-image-runtime.service \ +" + +EXTRA_OECONF += " \ + --with-systemdunitdir=${systemd_unitdir} \ + --with-domain=${FLATPAK_DOMAIN} \ + --with-arch=${MACHINE} \ + --with-branch=${FLATPAK_BRANCH} \ +" + +do_configure_prepend () { + cd ${S} + NOCONFIGURE=1 ./bootstrap + cd - +} + diff --git a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt index 22d4a84329..991fbdd1dc 100644 --- a/meta-refkit/conf/distro/include/refkit-supported-recipes.txt +++ b/meta-refkit/conf/distro/include/refkit-supported-recipes.txt @@ -93,6 +93,7 @@ findutils@core fixesproto@core flac@core flatpak@refkit-core +flatpak-image-runtime@refkit-core flex@core font-util@core fontconfig@core From f4b37e4200cbe2c0e5f0b598e481a6bb70684038 Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Tue, 13 Jun 2017 21:22:51 +0300 Subject: [PATCH 20/24] enable-refkit-config.inc: include/enable flatpak support. Enable also flatpak support if refkit config is enabled. Signed-off-by: Krisztian Litkey --- meta-refkit-core/conf/distro/include/enable-refkit-config.inc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/meta-refkit-core/conf/distro/include/enable-refkit-config.inc b/meta-refkit-core/conf/distro/include/enable-refkit-config.inc index 092dcf8ce7..37b65d5bc7 100644 --- a/meta-refkit-core/conf/distro/include/enable-refkit-config.inc +++ b/meta-refkit-core/conf/distro/include/enable-refkit-config.inc @@ -15,3 +15,5 @@ VIRTUAL-RUNTIME_initscripts = "" # defaults from OE-core. DISTRO_FEATURES_DEFAULT_remove = "${REFKIT_DEFAULT_DISTRO_FEATURES_REMOVE}" DISTRO_FEATURES ?= "${DISTRO_FEATURES_DEFAULT} ${DISTRO_FEATURES_LIBC} ${REFKIT_DEFAULT_DISTRO_FEATURES}" + +require conf/distro/include/flatpak.inc From e3f7c0c17b29826818d870512110b861fed9cf9e Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Wed, 14 Jun 2017 15:21:42 +0300 Subject: [PATCH 21/24] required-systemd.bbclass: added a distro checking variant of systemd.bbclass. Added a variant of systemd.bbclass which checks that systemd is among DISTRO_FEATURES. This can be used by recipes that not only support systemd but require it to save an extra explicit required distro feature check. Signed-off-by: Krisztian Litkey --- meta-refkit-core/classes/required-systemd.bbclass | 7 +++++++ 1 file changed, 7 insertions(+) create mode 100644 meta-refkit-core/classes/required-systemd.bbclass diff --git a/meta-refkit-core/classes/required-systemd.bbclass b/meta-refkit-core/classes/required-systemd.bbclass new file mode 100644 index 0000000000..a412dc5689 --- /dev/null +++ b/meta-refkit-core/classes/required-systemd.bbclass @@ -0,0 +1,7 @@ +# Same as systemd.bbclass but should be used by recipes which require +# systemd (as opposed to just support systemd). + +REQUIRED_DISTRO_FEATURES = "systemd" +inherit distro_features_check + +inherit systemd.bbclass From 6faa5801d19c606742cbc6f3161b29b19098ec71 Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Wed, 14 Jun 2017 15:28:26 +0300 Subject: [PATCH 22/24] flatpak_git.bb: inherit required-systemd. Signed-off-by: Krisztian Litkey --- meta-refkit-core/recipes-flatpak/flatpak/flatpak_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-refkit-core/recipes-flatpak/flatpak/flatpak_git.bb b/meta-refkit-core/recipes-flatpak/flatpak/flatpak_git.bb index 14b2f8141b..0300283160 100644 --- a/meta-refkit-core/recipes-flatpak/flatpak/flatpak_git.bb +++ b/meta-refkit-core/recipes-flatpak/flatpak/flatpak_git.bb @@ -15,7 +15,7 @@ SRCREV = "1a49029f9d8fbee0338665522cf7432ae7485841" PV = "0.9.3+git${SRCPV}" S = "${WORKDIR}/git" -inherit autotools pkgconfig gettext systemd gobject-introspection +inherit autotools pkgconfig gettext required-systemd gobject-introspection DEPENDS = " \ glib-2.0 json-glib libsoup-2.4 libarchive elfutils fuse \ From acd1f336e9b470297cd954a39937d92f032436a5 Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Wed, 14 Jun 2017 15:28:40 +0300 Subject: [PATCH 23/24] flatpak-image-runtime.bb: inherit required-systemd. Signed-off-by: Krisztian Litkey --- .../flatpak-image-runtime/flatpak-image-runtime_git.bb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meta-refkit-core/recipes-flatpak/flatpak-image-runtime/flatpak-image-runtime_git.bb b/meta-refkit-core/recipes-flatpak/flatpak-image-runtime/flatpak-image-runtime_git.bb index 3bf14ccf7d..21e1e35b8c 100644 --- a/meta-refkit-core/recipes-flatpak/flatpak-image-runtime/flatpak-image-runtime_git.bb +++ b/meta-refkit-core/recipes-flatpak/flatpak-image-runtime/flatpak-image-runtime_git.bb @@ -15,7 +15,7 @@ SRCREV = "8f563cfcc07a9f9d7cdcf0319cffda6d23745303" DEPENDS = "systemd" -inherit autotools pkgconfig systemd flatpak-config +inherit autotools pkgconfig required-systemd flatpak-config S = "${WORKDIR}/git" From 267eaebf442b0f74f5a422acf452e8e398c2cc8c Mon Sep 17 00:00:00 2001 From: Krisztian Litkey Date: Wed, 14 Jun 2017 15:33:17 +0300 Subject: [PATCH 24/24] refkit-ci.inc: build gateway flatpak runtime image as well. Signed-off-by: Krisztian Litkey --- meta-refkit/conf/distro/include/refkit-ci.inc | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/meta-refkit/conf/distro/include/refkit-ci.inc b/meta-refkit/conf/distro/include/refkit-ci.inc index 27d1840fb5..be76b506aa 100644 --- a/meta-refkit/conf/distro/include/refkit-ci.inc +++ b/meta-refkit/conf/distro/include/refkit-ci.inc @@ -61,7 +61,7 @@ REFKIT_CI_POSTBUILD_SELFTESTS="secureboot refkit-poky refkit-license-check image # Following targets would be used to perform default build task. # When adding new profile images, add them to refkit-installer-image.bb # and they will get pulled into the build indirectly. -REFKIT_CI_BUILD_TARGETS="refkit-image-minimal refkit-installer-image swtpm-wrappers-native ovmf" +REFKIT_CI_BUILD_TARGETS="refkit-image-minimal refkit-installer-image swtpm-wrappers-native ovmf! # Following targets would be executed with do_populate_sdk task REFKIT_CI_SDK_TARGETS="" @@ -70,7 +70,11 @@ REFKIT_CI_SDK_TARGETS="" # as possible. REFKIT_CI_ESDK_TARGETS="" # Following targets would be executed with do_test_iot_export task -REFKIT_CI_TEST_EXPORT_TARGETS="refkit-image-common refkit-image-computervision refkit-image-gateway" +REFKIT_CI_TEST_EXPORT_TARGETS="refkit-image-common refkit-image-computervision refkit-image-gateway \ +${@bb.utils.contains('DISTRO_FEATURES', 'flatpak', \ + 'refkit-image-gateway-flatpak-runtime', '', d)} \ +" + # Execute automatic tests for following images with corresponding # test suite, test files and devices. # Space separated list of tuples, each should in format: