lxc-alpine: download a static package manager if its missing

If the package manager, apk-tools is missing, then: - download a static binary and public keys - verify the keys against embedded checksum - verify the signature of the static binary against the downloaded keys - use the verified static binary Signed-off-by: Natanael Copa <ncopa@alpinelinux.org> Signed-off-by: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>

lxc-alpine: download a static package manager if its missing
569bee5c · Natanael Copa · Serge Hallyn · 0a18b545 · 569bee5c
Commit 569bee5c authored May 28, 2013 by Natanael Copa Committed by Serge Hallyn Jun 03, 2013
Hide whitespace changes
Inline Side-by-side

Showing with 54 additions and 2 deletions

lxc-alpine.in templates/lxc-alpine.in +54 -2

No files found.
--- a/templates/lxc-alpine.in
+++ b/templates/lxc-alpine.in
 #!/bin/sh

+key_sha256sums="9c102bcc376af1498d549b77bdbfa815ae86faa1d2d82f040e616b18ef2df2d4  alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub
+2adcf7ce224f476330b5360ca5edb92fd0bf91c92d83292ed028d7c4e26333ab  alpine-devel@lists.alpinelinux.org-4d07755e.rsa.pub"
+
+get_static_apk () {
+    rootfs="$1"
+    echo "Using static apk from $repository/$apk_arch"
+    wget="wget -q -O - $repository/$apk_arch"
+
+    # parse APKINDEX to find the current versions
+    static_pkgs=$($wget/APKINDEX.tar.gz | \
+        tar -Oxz APKINDEX | \
+        awk -F: -v pkglist="alpine-keys:apk-tools-static" '
+            BEGIN { split(pkglist,pkg) }
+            $0 != "" { f[$1] = $2 }
+            $0 == "" { for (i in pkg)
+                           if (pkg[i] == f["P"])
+                               print(f["P"] "-" f["V"] ".apk") }')
+    [ "$static_pkgs" ] || return 1
+
+    mkdir -p "$rootfs" || return 1
+    for pkg in $static_pkgs; do
+        echo "Downloading $pkg"
+        $wget/$pkg | tar -xz -C "$rootfs"
+    done
+
+    # clean up .apk meta files
+    rm -f "$rootfs"/.[A-Z]*
+
+    # verify checksum of the key
+    keyname=$(echo $rootfs/sbin/apk.static.*.pub | sed 's/.*\.SIGN\.RSA\.//')
+    checksum=$(echo "$key_sha256sums" |  grep -w "$keyname")
+    if [ -z "$checksum" ]; then
+        echo "ERROR: checksum is missing for $keyname"
+        return 1
+    fi
+    (cd $rootfs/etc/apk/keys && echo "$checksum" | sha256sum -c -) || return 1
+
+    # verify the static apk binary signature
+    APK=$rootfs/sbin/apk.static
+    openssl dgst -verify $rootfs/etc/apk/keys/$keyname \
+        -signature "$APK.SIGN.RSA.$keyname" "$APK" || return 1
+}
+
 install_alpine() {
    rootfs="$1"
    shift
    mkdir -p "$rootfs"/etc/apk || return 1
-    cp -r ${keys_dir:-/etc/apk/keys} "$rootfs"/etc/apk/
+    : ${keys_dir:=/etc/apk/keys}
+    if ! [ -d "$rootfs"/etc/apk/keys ] && [ -d "$keys_dir" ]; then
+        cp -r "$keys_dir" "$rootfs"/etc/apk/keys
+    fi
    if [ -n "$repository" ]; then
        echo "$repository" > "$rootfs"/etc/apk/repositories
    else
@@ -14,7 +60,7 @@ install_alpine() {
    if [ -n "$apk_arch" ]; then
        opt_arch="--arch $apk_arch"
    fi
-    ${APK:-apk} add -U --initdb --root $rootfs $opt_arch "$@" alpine-base
+    $APK add -U --initdb --root $rootfs $opt_arch "$@" alpine-base
 }

 configure_alpine() {
@@ -167,6 +213,7 @@ optarg_check() {
 }

 default_path=@LXCPATH@
+arch=$(uname -m)

 while [ $# -gt 0 ]; do
    opt="$1"
@@ -243,6 +290,11 @@ case "$arch" in
 	*)	die "unsupported architecture: $arch";;
 esac

+: ${APK:=apk}
+if ! which $APK >/dev/null; then
+    get_static_apk "$rootfs" || die "Failed to download a valid static apk"
+fi
+
 install_alpine "$rootfs" "$@" || die "Failed to install rootfs for $name"
 configure_alpine "$rootfs" "$name" || die "Failed to configure $name"
 copy_configuration "$path" "$rootfs" "$name"