Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Updated Builder script #234

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Conversation

moos3
Copy link

@moos3 moos3 commented Nov 30, 2016

Updated the builder so that it doesn't relay on a pre-existing alpine image. This allows for people to
create Alpine linux when they can't use public images.

Updated the builder so that it doesn't relay on a pre-existing alpine image. This allows for people to
create Alpine linux when they can't use public images
@ncopa
Copy link
Collaborator

ncopa commented Nov 30, 2016

I am also working on official upstream rootfs images with the v3.5 release

mirror_count=$(wc -l $mirror_list | cut -d " " -f 1)
random=$(hexdump -n 2 -e '/2 "%u"' /dev/urandom)
repository=$(sed $(expr $random % $mirror_count + 1)\!d \
$mirror_list)$auto_repo_dir
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we can simply use the http://dl-cdn.alpinelinux.org/alpine mirror

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I pulling the mirror list from the official alpine-mirrors package. This way if we are only pulling for official mirrors, and not a dns value that might be hijacked on someones network. Otherwise your correct we could just use the cdn mirror and relay on dns doing the picking.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Makes no difference. Any of the mirrors could be dns hijacked or the official mirror sysadmin could go rough. What protects you from any of this to happen is the signature verification using the apk keys which you verify with the embedded sha256 sum.

In other words, as long as you trust that the builder script itself has not been modified over the wire, then you can verify that apk is ok and apk will verify that the apk content is not modified, using the apk keys.

I am ok to keep the current approach if you have strong feeling for it. It is good to not hard-code the mirror in case we change it in future.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah it doesn't matter to me. The bootstrap script does a sha1 check on itself to make sure it hasn't been modified from outside sources :) we can swap that out for the cdn, at the top we pull in the list of mirrors from the cdn at the beginning of the process. I just found this was the best way for I work. Just figured others might be in the same boat.

@andyshinn
Copy link
Contributor

Let's revisit this. Can you give a brief demo of using this and how it might affect our current pipeline? Then I can try it out locally.

From the looks of it, it appears to build a alpine:base first which is then used to build each of the images?

@moos3
Copy link
Author

moos3 commented Jun 26, 2017

Correct it does build base then builds each version from inside that image.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants