# vim: filetype=yaml sw=2 debug: '[% GET ! ENV.RBM_NO_DEBUG %]' compress_tar: gz output_dir: "out/[% project %]" tmp_dir: '[% c("basedir") %]/tmp' build_log: '[% GET ENV.RBM_LOGS_DIR ? ENV.RBM_LOGS_DIR : "logs" %]/[% project %][% IF c("var/osname") %]-[% c("var/osname") %][% END %].log' pkg_type: build steps: src-tarballs: compress_tar: xz src-tarballs: | #!/bin/bash set -e mkdir -p '[% dest_dir %]' mv -vf '[% project %]-[% c("version") %].tar.xz' '[% dest_dir %]/[% c("filename") %]' # buildconf contains build options that the user can change in rbm.local.conf # When adding a new option to buildconf, a default value should be defined # in var/build_id, so that changing this option does not affect the build_id. buildconf: num_procs: '[% GET ENV.RBM_NUM_PROCS ? ENV.RBM_NUM_PROCS : "4" %]' git_signtag_opt: '-s' var: project_name: tor-browser # By default, we sort the list of installed packages. This allows sharing # containers with identical list of packages, even if they are not listed # in the same order. In the cases where the installation order is # important, sort_deps should be set to 0. sort_deps: 1 build_id: '[% sha256(c("var/build_id_txt", { buildconf => { num_procs => 4 } })).substr(0, 6) %]' build_id_txt: | [% c("version") %] [% IF c("git_hash") || c("hg_hash"); GET c("abbrev"); END; %] [% IF c("var/container/use_container") && ! c("var/container/global_disable") -%] [% c("var/container/suite") %] [% c("var/container/arch") %] [% END -%] input_files: [% c("input_files_id") %] build: [% c("build", { filename => 'f', output_dir => '/out' }) %] container: dir: '[% c("rbm_tmp_dir") %]/rbm-containers/[% sha256(c("build_id")) %]' user: rbm disable_network: # disable network in the build scripts build: 1 input_files_list: | [% FOREACH file IN c("input_files_by_name").keys.sort -%] [% c("input_files_by_name/" _ file) %] [% END -%] faketime: "faketime -f \"[% USE date; GET date.format(c('timestamp'), format = '%Y-%m-%d %H:%M:%S') %]\"" touch: "[% USE date %]touch -m -t [% date.format(c('timestamp'), format = '%Y%m%d%H%M') %]" sign_build: '[% ENV.RBM_SIGN_BUILD %]' sign_build_gpg_opts: '[% ENV.RBM_GPG_OPTS %]' rezip: | rezip_tmpdir=$(mktemp -d) mkdir -p "$rezip_tmpdir/z" unzip -d "$rezip_tmpdir/z" -- [% c("rezip_file") %] || [ $? -lt 3 ] pushd "$rezip_tmpdir/z" [% c("zip", { zip_src => [ '.' ], zip_args => '$rezip_tmpdir/new.zip', }) %] popd mv -f -- "$rezip_tmpdir/new.zip" [% c("rezip_file") %] rm -Rf "$rezip_tmpdir" set_default_env: | set -e [% FOREACH env = c('ENV') -%] export [% env.key %]="[% env.value %]" [% END -%] rootdir=$(pwd) export SHELL=/bin/bash export HOME=$rootdir umask 0022 [% IF c("var/container/global_disable") -%] rm -Rf /var/tmp/build /var/tmp/dist [% END -%] targets: notarget: linux-x86_64 noint: debug: 0 release: var: release: 1 channel: release # The common-stretch target is used to build components that are common to all # platforms, using Debian stretch. common-stretch: var: common: 1 container: suite: stretch arch: amd64 pre_pkginst: '' deps: - build-essential - python - bison - automake - libtool - zip - unzip ncdns-android-armv7: - android-armv7 - android android-armv7: arch: armv7 var: android-armv7: 1 osname: android-armv7 ncdns-android-x86: - android-x86 - android android-x86: arch: x86 var: android-x86: 1 osname: android-x86 android: var: android: 1 compiler: android-toolchain # API 16 is the minimum we currently support for Tor Browser on Android android_min_api: 16 container: suite: stretch arch: amd64 deps: - build-essential - python - bison - automake - libtool - zip - unzip ncdns-linux-x86_64: - linux-x86_64 - linux ncdns-linux-i686: - linux-i686 - linux linux-x86_64: arch: x86_64 var: linux-x86_64: 1 osname: linux-x86_64 linux-i686: arch: i686 var: linux-i686: 1 osname: linux-i686 configure_opt_i686: '--host=i686-linux-gnu CFLAGS=-m32 CXXFLAGS=-m32 LDFLAGS=-m32' configure_opt: '[% c("var/configure_opt_i686") %]' linux: var: linux: 1 compiler: gcc container: suite: wheezy arch: amd64 pre_pkginst: dpkg --add-architecture i386 deps: - libc6-dev-i386 - lib32stdc++6 - build-essential - python - bison - hardening-wrapper - automake - libtool - zip - unzip ncdns-windows-i686: - windows-i686 - windows ncdns-windows-x86_64: - windows-x86_64 - windows windows-x86_64: arch: x86_64 var: windows-x86_64: 1 osname: windows-x86_64 container: arch: amd64 faketime_path: /usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 # HEASLR is 64 bit only (see bug 12968) flag_HEASLR: '-Wl,--high-entropy-va' windows-i686: arch: i686 var: windows-i686: 1 osname: windows-i686 container: arch: i386 faketime_path: /usr/lib/i386-linux-gnu/faketime/libfaketime.so.1 setarch: | if test -z "$RBM_SETARCH" then export RBM_SETARCH=1 exec setarch i686 ./build fi windows: var: windows: 1 container: suite: jessie configure_opt: '--host=[% c("arch") %]-w64-mingw32 CFLAGS="[% c("var/CFLAGS") %]" LDFLAGS="[% c("var/LDFLAGS") %]"' CFLAGS: '-fstack-protector-strong -fno-strict-overflow -Wno-missing-field-initializers -Wformat -Wformat-security [% c("var/flag_mwindows") %]' LDFLAGS: '-Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -Wl,--no-insert-timestamp -lssp -L$gcclibs [% c("var/flag_HEASLR") %] [% c("var/flag_mwindows") %]' flag_mwindows: '-mwindows' compiler: mingw-w64 deps: - build-essential - python - bison - automake - libtool - zip - unzip ncdns-osx-x86_64: - osx-x86_64 osx-x86_64: arch: x86_64 var: osx: 1 osname: osx-x86_64 container: suite: jessie arch: amd64 compiler: 'macosx-toolchain' configure_opt: '--host=x86_64-apple-darwin11 CC="x86_64-apple-darwin11-clang [% c("var/FLAGS") %]" CXX="x86_64-apple-darwin11-clang++ [% c("var/FLAGS") %]"' FLAGS: "-target x86_64-apple-darwin11 -B $cctoolsdir -isysroot $sysrootdir" LDFLAGS: "-Wl,-syslibroot,$sysrootdir -Wl,-dead_strip -Wl,-pie" deps: - build-essential - python - bison - automake - libtool - zip - unzip faketime_path: /usr/lib/x86_64-linux-gnu/faketime/libfaketime.so.1 # The no_build_id target can be useful if you want to quickly display # a build template or other option but don't want to spend time to # compute the various build ids no_build_id: # The defaut timestamp value will use the commit time of the # selected commit for the project, which will require cloning the # git repository if it is not present. When we use the no_build_id # target to display a script, we usually don't care about such # details, so we set timestamp to 0 to avoid unnecessary cloning. timestamp: 0 var: build_id: 1 no_containers: var: container: global_disable: 1 # change the default gpg_wrapper to allow git tag signed using an # expired key. # https://bugs.torproject.org/19737 gpg_wrapper: | #!/bin/bash export LC_ALL=C [% IF c('gpg_keyring'); SET gpg_kr = '--keyring ' _ path(c('gpg_keyring'), path(c('gpg_keyring_dir'))) _ ' --no-default-keyring'; END; -%] gpg_verify=0 for opt in "$@" do test "$opt" = '--verify' && gpg_verify=1 done if [ $gpg_verify = 1 ] then [% c('gpg_bin') %] [% c('gpg_args') %] --with-fingerprint [% gpg_kr %] "$@" | sed 's/^\[GNUPG:\] EXPKEYSIG /\[GNUPG:\] GOODSIG /' exit ${PIPESTATUS[0]} else exec [% c('gpg_bin') %] [% c('gpg_args') %] --with-fingerprint [% gpg_kr %] "$@" fi remote_start: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_start") %][% END %]' remote_exec: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_exec") %][% END %]' remote_put: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_put") %][% END %]' remote_get: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_get") %][% END %]' remote_finish: '[% IF c("var/container/use_container") && ! c("var/container/global_disable") %][% c("runc/remote_finish") %][% END %]' runc: remote_start: | #!/bin/sh set -e if [ $(ls -1 '[% c("remote_srcdir", { error_if_undef => 1 }) %]/container-image_'* | wc -l) -ne 1 ] then echo "Can't find container image in input files" >&2 ls -l '[% c("remote_srcdir") %]' >&2 exit 1 fi mkdir -p '[% c("var/container/dir") %]'/rootfs/rbm sudo tar -C '[% c("var/container/dir") %]'/rootfs -xf $(ls -1 '[% c("remote_srcdir", { error_if_undef => 1 }) %]/container-image_'*) [% SET user = c("var/container/user") -%] [% c("remote_exec", { exec_as_root => 1, exec_cmd => 'id ' _ user _ ' >/dev/null 2>&1 || adduser -m ' _ user _ ' || useradd -m ' _ user }) %] remote_exec: | #!/bin/sh set -e [% IF c("interactive") -%] echo Container directory: [% shell_quote(c("var/container/dir")) %] [% END -%] mkdir -p '[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs/rbm echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rootfs/rbm/cmd echo [% shell_quote(c('exec_cmd')) %] >> '[% c("var/container/dir") %]'/rootfs/rbm/cmd echo '#!/bin/sh' > '[% c("var/container/dir") %]'/rootfs/rbm/run [% IF c('exec_as_root'); SET user = 'root'; ELSE; SET user = c("var/container/user", { error_if_undef => 1 }); END; %] echo 'su - [% user %] -c /rbm/cmd' >> '[% c("var/container/dir") %]'/rootfs/rbm/run chmod +x '[% c("var/container/dir") %]'/rootfs/rbm/cmd chmod +x '[% c("var/container/dir") %]'/rootfs/rbm/run cat > '[% c("var/container/dir") %]'/config.json << EOF [% INCLUDE 'runc-config.json' %] EOF [% IF c("var/container/disable_network/" _ c("exec_name")) -%] sudo ip netns add 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]' [% END -%] sudo runc [% IF c("var_p/runc100") %]run[% ELSE %]start[% END %] -b '[% c("var/container/dir") %]' rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %] [% IF c("runc_hide_stderr") %]2>/dev/null[% END %] [% IF c("var/container/disable_network/" _ c("exec_name")) -%] sudo ip netns delete 'rbm-[% sha256(c("build_id", { error_if_undef => 1 })) %]' [% END -%] remote_put: | #!/bin/sh set -e [% SET src = shell_quote(c('put_src', { error_if_undef => 1 })); SET dst = shell_quote(c('put_dst', { error_if_undef => 1 })); -%] sudo mkdir -p '[% c("var/container/dir") %]'/rootfs/[% dst %] sudo cp -aP [% src %] '[% c("var/container/dir") %]'/rootfs/[% dst %] # On Ubuntu, the /root/.profile file contains a `mesg n` line which is # producing some `stdin: is not a tty` messages. To hide them, we hide # stderr from this part by setting runc_hide_stderr. [% c("remote_exec", { exec_as_root => 1, exec_cmd => 'chown -R ' _ c("var/container/user") _ ' ' _ dst, runc_hide_stderr => 1 }) %] remote_get: | #!/bin/sh set -e [% SET src = shell_quote(c('get_src', { error_if_undef => 1 })); SET dst = shell_quote(c('get_dst', { error_if_undef => 1 })); -%] mkdir -p [% dst %] srcdir='[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs/[% src %] sudo chown -R $(whoami) "$srcdir" if [ $(ls -1 "$srcdir"/* 2> /dev/null | wc -l) -gt 0 ] then for file in "$srcdir"/* do bname="$(basename "$file")" test -e [% dst %]/"$bname" && rm -Rf [% dst %]/"$bname" mv -f "$file" [% dst %]/ done fi remote_finish: | #!/bin/sh set -e sudo rm -Rf '[% c("var/container/dir", { error_if_undef => 1 }) %]'/rootfs '[% c("var/container/dir", { error_if_undef => 1 }) %]'/config.json rmdir '[% c("var/container/dir") %]' ENV: TZ: UTC LC_ALL: C --- | # This part of the file contains options written in perl use IO::CaptureOutput qw(capture_exec); my $hashlist = {}; open(my $f, '<:encoding(UTF-8)', 'hashlist') or die "Cannot open hashlist"; while (my $row = <$f>) { chomp $row; my @words = split / /, $row; my $repo = $words[1]; my $hash = $words[2]; $hashlist->{$repo} = $hash; #print "$repo = $hash\n"; } ( var_p => { # runc100 is true if we are using runc >= 1.0.0 # we assume that any version that is not 0.1.1 is >= 1.0.0 runc100 => sub { my ($out) = capture_exec('sudo', 'runc', '--version'); return !($out =~ m/^runc version 0.1.1/); }, # runc_spec100 is true if runc spec is at least 1.0.0 # We will need to update this when there is a new spec version available runc_spec100 => sub { my ($out) = capture_exec('sudo', 'runc', '--version'); return $out =~ m/^.*spec: 1\.[0-9]+\.[0-9]+(?:-dev)?$/m; }, id => $hashlist, }, )