|
|
@ -7,6 +7,8 @@ set -o pipefail |
|
|
|
# Default compiler |
|
|
|
# Default compiler |
|
|
|
: ${CC:="gcc"} |
|
|
|
: ${CC:="gcc"} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo "CC=${CC}" |
|
|
|
|
|
|
|
|
|
|
|
# Paths |
|
|
|
# Paths |
|
|
|
: ${SOURCE_DIR:="."} |
|
|
|
: ${SOURCE_DIR:="."} |
|
|
|
: ${DIST_DIR:="${SOURCE_DIR}/dist"} |
|
|
|
: ${DIST_DIR:="${SOURCE_DIR}/dist"} |
|
|
@ -50,82 +52,141 @@ make |
|
|
|
make package |
|
|
|
make package |
|
|
|
popd |
|
|
|
popd |
|
|
|
|
|
|
|
|
|
|
|
# Smoke tests (actual tests need Docker to run; they don't run within the CI environment) |
|
|
|
pkg_version="$(cat "${BUILD_DIR}/VERSION")" |
|
|
|
for tini in "${BUILD_DIR}/tini" "${BUILD_DIR}/tini-static"; do |
|
|
|
|
|
|
|
echo "Smoke test for $tini" |
|
|
|
|
|
|
|
"${tini}" -h |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo "Testing $tini for license" |
|
|
|
if [[ -n "${ARCH_NATIVE:=}" ]]; then |
|
|
|
"${tini}" -l | grep -i "mit license" |
|
|
|
echo "Built native package (ARCH_NATIVE=${ARCH_NATIVE})" |
|
|
|
|
|
|
|
echo "Running smoke and internal tests" |
|
|
|
|
|
|
|
|
|
|
|
echo "Testing $tini with: true" |
|
|
|
# Smoke tests (actual tests need Docker to run; they don't run within the CI environment) |
|
|
|
"${tini}" -vvv true |
|
|
|
for tini in "${BUILD_DIR}/tini" "${BUILD_DIR}/tini-static"; do |
|
|
|
|
|
|
|
echo "Smoke test for $tini" |
|
|
|
|
|
|
|
"${tini}" -h |
|
|
|
|
|
|
|
|
|
|
|
echo "Testing $tini with: false" |
|
|
|
echo "Testing $tini for license" |
|
|
|
if "${tini}" -vvv false; then |
|
|
|
"${tini}" -l | grep -i "mit license" |
|
|
|
exit 1 |
|
|
|
|
|
|
|
|
|
|
|
echo "Testing $tini with: true" |
|
|
|
|
|
|
|
"${tini}" -vvv true |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo "Testing $tini with: false" |
|
|
|
|
|
|
|
if "${tini}" -vvv false; then |
|
|
|
|
|
|
|
exit 1 |
|
|
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Test stdin / stdout are handed over to child |
|
|
|
|
|
|
|
echo "Testing pipe" |
|
|
|
|
|
|
|
echo "exit 0" | "${tini}" -vvv sh |
|
|
|
|
|
|
|
if [[ ! "$?" -eq "0" ]]; then |
|
|
|
|
|
|
|
echo "Pipe test failed" |
|
|
|
|
|
|
|
exit 1 |
|
|
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
echo "Checking hardening on $tini" |
|
|
|
|
|
|
|
hardening-check --nopie --nostackprotector --nobindnow "${tini}" |
|
|
|
|
|
|
|
done |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Quick package audit |
|
|
|
|
|
|
|
if which rpm >/dev/null; then |
|
|
|
|
|
|
|
echo "Contents for RPM:" |
|
|
|
|
|
|
|
rpm -qlp "${BUILD_DIR}/tini_${pkg_version}.rpm" |
|
|
|
|
|
|
|
echo "--" |
|
|
|
fi |
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
# Test stdin / stdout are handed over to child |
|
|
|
if which dpkg >/dev/null; then |
|
|
|
echo "Testing pipe" |
|
|
|
echo "Contents for DEB:" |
|
|
|
echo "exit 0" | "${tini}" -vvv sh |
|
|
|
dpkg --contents "${BUILD_DIR}/tini_${pkg_version}.deb" |
|
|
|
if [[ ! "$?" -eq "0" ]]; then |
|
|
|
echo "--" |
|
|
|
echo "Pipe test failed" |
|
|
|
|
|
|
|
exit 1 |
|
|
|
|
|
|
|
fi |
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
echo "Checking hardening on $tini" |
|
|
|
# Compile test code |
|
|
|
hardening-check --nopie --nostackprotector --nobindnow "${tini}" |
|
|
|
"${CC}" -o "${BUILD_DIR}/sigconf-test" "${SOURCE_DIR}/test/sigconf/sigconf-test.c" |
|
|
|
done |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Move files to the dist dir for testing |
|
|
|
# Create virtual environment to run tests. |
|
|
|
mkdir -p "${DIST_DIR}" |
|
|
|
# Accept system site packages for faster local builds. |
|
|
|
cp "${BUILD_DIR}"/tini{,-static,*.rpm,*deb} "${DIST_DIR}" |
|
|
|
VENV="${BUILD_DIR}/venv" |
|
|
|
|
|
|
|
virtualenv --system-site-packages "${VENV}" |
|
|
|
|
|
|
|
|
|
|
|
# Quick package audit |
|
|
|
# Don't use activate because it does not play nice with nounset |
|
|
|
if which rpm; then |
|
|
|
export PATH="${VENV}/bin:${PATH}" |
|
|
|
echo "Contents for RPM:" |
|
|
|
export CFLAGS # We need them to build our test suite, regardless of FORCE_SUBREAPER |
|
|
|
rpm -qlp "${DIST_DIR}/tini"*.rpm |
|
|
|
|
|
|
|
fi |
|
|
|
# Install test dependencies |
|
|
|
|
|
|
|
pip install psutil python-prctl bitmap |
|
|
|
|
|
|
|
|
|
|
|
if which dpkg; then |
|
|
|
# Run tests |
|
|
|
echo "Contents for DEB:" |
|
|
|
python "${SOURCE_DIR}/test/run_inner_tests.py" |
|
|
|
dpkg --contents "${DIST_DIR}/tini"*deb |
|
|
|
else |
|
|
|
|
|
|
|
if [[ ! -n "${ARCH_SUFFIX:=}" ]]; then |
|
|
|
|
|
|
|
echo "Built cross package, but $ARCH_SUFFIX is empty!" |
|
|
|
|
|
|
|
exit 1 |
|
|
|
|
|
|
|
fi |
|
|
|
|
|
|
|
echo "Built cross package (ARCH_SUFFIX=${ARCH_SUFFIX})" |
|
|
|
|
|
|
|
echo "Skipping smoke and internal tests" |
|
|
|
fi |
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
# Compile test code |
|
|
|
# Now, copy over files to DIST_DIR, with appropriate names depending on the |
|
|
|
"${CC}" -o "${BUILD_DIR}/sigconf-test" "${SOURCE_DIR}/test/sigconf/sigconf-test.c" |
|
|
|
# architecture. |
|
|
|
|
|
|
|
# Handle the DEB / RPM |
|
|
|
|
|
|
|
mkdir -p "${DIST_DIR}" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
TINIS=() |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for tini in tini tini-static; do |
|
|
|
|
|
|
|
if [[ -n "${ARCH_SUFFIX:=}" ]]; then |
|
|
|
|
|
|
|
to="${DIST_DIR}/${tini}-${ARCH_SUFFIX}" |
|
|
|
|
|
|
|
TINIS+=("$to") |
|
|
|
|
|
|
|
cp "${BUILD_DIR}/${tini}" "$to" |
|
|
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if [[ -n "${ARCH_NATIVE:=}" ]]; then |
|
|
|
|
|
|
|
to="${DIST_DIR}/${tini}" |
|
|
|
|
|
|
|
TINIS+=("$to") |
|
|
|
|
|
|
|
cp "${BUILD_DIR}/${tini}" "$to" |
|
|
|
|
|
|
|
fi |
|
|
|
|
|
|
|
done |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
for pkg_format in deb rpm; do |
|
|
|
|
|
|
|
src="${BUILD_DIR}/tini_${pkg_version}.${pkg_format}" |
|
|
|
|
|
|
|
|
|
|
|
# Create virtual environment to run tests. |
|
|
|
if [[ -n "${ARCH_SUFFIX:=}" ]]; then |
|
|
|
# Accept system site packages for faster local builds. |
|
|
|
to="${DIST_DIR}/tini_${pkg_version}-${ARCH_SUFFIX}.${pkg_format}" |
|
|
|
VENV="${BUILD_DIR}/venv" |
|
|
|
TINIS+=("$to") |
|
|
|
virtualenv --system-site-packages "${VENV}" |
|
|
|
cp "$src" "$to" |
|
|
|
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
|
|
# Don't use activate because it does not play nice with nounset |
|
|
|
if [[ -n "${ARCH_NATIVE:=}" ]]; then |
|
|
|
export PATH="${VENV}/bin:${PATH}" |
|
|
|
to="${DIST_DIR}/tini_${pkg_version}.${pkg_format}" |
|
|
|
export CFLAGS # We need them to build our test suite, regardless of FORCE_SUBREAPER |
|
|
|
TINIS+=("$to") |
|
|
|
|
|
|
|
cp "$src" "$to" |
|
|
|
|
|
|
|
fi |
|
|
|
|
|
|
|
done |
|
|
|
|
|
|
|
|
|
|
|
# Install test dependencies |
|
|
|
echo "Tinis: ${TINIS[*]}" |
|
|
|
pip install psutil python-prctl bitmap |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Run tests |
|
|
|
for tini in "${TINIS[@]}"; do |
|
|
|
python "${SOURCE_DIR}/test/run_inner_tests.py" |
|
|
|
echo "${tini}:" |
|
|
|
|
|
|
|
sha1sum "$tini" |
|
|
|
|
|
|
|
file "$tini" |
|
|
|
|
|
|
|
echo "--" |
|
|
|
|
|
|
|
done |
|
|
|
|
|
|
|
|
|
|
|
# If a signing key and passphrase are made available, then use it to sign the |
|
|
|
# If a signing key and passphrase are made available, then use it to sign the |
|
|
|
# binaries |
|
|
|
# binaries |
|
|
|
if [[ -n "$GPG_PASSPHRASE" ]] && [[ -f "${SOURCE_DIR}/sign.key" ]]; then |
|
|
|
if [[ -n "$GPG_PASSPHRASE" ]] && [[ -f "${SOURCE_DIR}/sign.key" ]]; then |
|
|
|
echo "Signing binaries" |
|
|
|
echo "Signing tinis" |
|
|
|
GPG_SIGN_HOMEDIR="${BUILD_DIR}/gpg-sign" |
|
|
|
GPG_SIGN_HOMEDIR="${BUILD_DIR}/gpg-sign" |
|
|
|
GPG_VERIFY_HOMEDIR="${BUILD_DIR}/gpg-verify" |
|
|
|
GPG_VERIFY_HOMEDIR="${BUILD_DIR}/gpg-verify" |
|
|
|
PGP_KEY_FINGERPRINT="595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7" |
|
|
|
PGP_KEY_FINGERPRINT="595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7" |
|
|
|
PGP_KEYSERVER="ha.pool.sks-keyservers.net" |
|
|
|
PGP_KEYSERVER="ha.pool.sks-keyservers.net" |
|
|
|
|
|
|
|
|
|
|
|
mkdir "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}" |
|
|
|
mkdir "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}" |
|
|
|
chmod 700 "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}" |
|
|
|
chmod 700 "${GPG_SIGN_HOMEDIR}" "${GPG_VERIFY_HOMEDIR}" |
|
|
|
|
|
|
|
|
|
|
|
gpg --homedir "${GPG_SIGN_HOMEDIR}" --import "${SOURCE_DIR}/sign.key" |
|
|
|
gpg --homedir "${GPG_SIGN_HOMEDIR}" --import "${SOURCE_DIR}/sign.key" |
|
|
|
gpg --homedir "${GPG_VERIFY_HOMEDIR}" --keyserver "$PGP_KEYSERVER" --recv-keys "$PGP_KEY_FINGERPRINT" |
|
|
|
gpg --homedir "${GPG_VERIFY_HOMEDIR}" --keyserver "$PGP_KEYSERVER" --recv-keys "$PGP_KEY_FINGERPRINT" |
|
|
|
|
|
|
|
|
|
|
|
for tini in "${DIST_DIR}/tini" "${DIST_DIR}/tini-static"; do |
|
|
|
for tini in "${TINIS[@]}"; do |
|
|
|
echo "${GPG_PASSPHRASE}" | gpg --homedir "${GPG_SIGN_HOMEDIR}" --passphrase-fd 0 --armor --detach-sign "${tini}" |
|
|
|
echo "${GPG_PASSPHRASE}" | gpg --homedir "${GPG_SIGN_HOMEDIR}" --passphrase-fd 0 --armor --detach-sign "${tini}" |
|
|
|
gpg --homedir "${GPG_VERIFY_HOMEDIR}" --verify "${tini}.asc" |
|
|
|
gpg --homedir "${GPG_VERIFY_HOMEDIR}" --verify "${tini}.asc" |
|
|
|
done |
|
|
|
done |
|
|
|