Skip to content

Commit

Permalink
Merge pull request #23 from trz42/update_cl_2023.06_20240124
Browse files Browse the repository at this point in the history
Update compat layer NESSI/2023.06
  • Loading branch information
trz42 authored Jan 24, 2024
2 parents 82679e2 + 20ce1f0 commit 78059e6
Show file tree
Hide file tree
Showing 2 changed files with 157 additions and 0 deletions.
105 changes: 105 additions & 0 deletions scripts/get-pkgs-NESSI.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
#!/bin/bash

function log() {
echo -e "$1" | tee -a ${GLSA_LOG}
}

function error() {
echo -e "$1" | tee -a ${GLSA_LOG}
exit 1
}

glsa_tmp_dir=$(mktemp -d $TMPDIR/glsa_check.XXX)
mkdir -p ${glsa_tmp_dir}
echo "glsa_tmp_dir: '${glsa_tmp_dir}'"
GLSA_LOG=${glsa_tmp_dir}/glsa.log
GLSA_CHECK_LOG=${glsa_tmp_dir}/glsa_check.log

# Check if an EESSI version has been specified
if [ "$#" -eq 0 ]; then
error "usage: $0 <EESSI version> [EESSI architecture]"
fi

version="$1"

# Determine architecture
if [ ! -z "$2" ]
then
arch="$2"
else
arch="$(uname -m)"
fi

# Check if the EESSI version number encoded in the filename
# is a valid, i.e. matches the format YYYY.DD
if ! echo "${version}" | egrep -q '^20[0-9][0-9]\.(0[0-9]|1[0-2])$'
then
error "${version} is not a valid EESSI version."
fi

compat_dir="/cvmfs/pilot.nessi.no/versions/${version}/compat/linux/${arch}"
export PATH="${compat_dir}/usr/bin:${compat_dir}/bin"

echo "Determining installed packages..."
QLIST="qlist -IRv"
if [ -f ${compat_dir}/startprefix ]; then
${compat_dir}/startprefix <<< ${QLIST} | sort > ${glsa_tmp_dir}/qlist_installed_packages.log
fi

echo "Searching for updates to ${compat_dir}..."
echo " - PATH set to '${PATH}'"

# Set the gentoo repo dir to a temporary directory to prevent it from having to compare
# all the existing files (which also means that CVMFS has to retrieve them) with new ones.
# Also use the mirror repo, which already contains all metadata.
gentoo_dir=${GENTOO_OVERLAY_DIR:-${glsa_tmp_dir}/gentoo}

if [ -f "${compat_dir}/etc/portage/repos.conf/gentoo.conf" ];
then
sed -i "s|location = .*|location = ${gentoo_dir}|" "${compat_dir}/etc/portage/repos.conf/gentoo.conf"
sed -i "s|sync-uri\s*= .*|sync-uri = https://github.com/gentoo-mirror/gentoo.git|" "${compat_dir}/etc/portage/repos.conf/gentoo.conf"
else
cat > "${compat_dir}/etc/portage/repos.conf/gentoo.conf" <<EOF
[DEFAULT]
main-repo = gentoo
sync-git-pull-extra-opts = --quiet
[gentoo]
priority = 1
location = ${gentoo_dir}
sync-uri = https://github.com/gentoo-mirror/gentoo.git
sync-type = git
auto-sync = Yes
clone-depth = 1
EOF
fi

echo "Remove existing sync'ed repo data..."
rm -f ${compat_dir}/etc/portage/repo.postsync.d/sync_gentoo_*

echo "Update the gentoo overlay by downloading a tarball of the git repo to ${gentoo_dir} ..."
mkdir -p "${gentoo_dir}"
wget -q "https://github.com/gentoo-mirror/gentoo/archive/refs/heads/stable.tar.gz"
tar -xzf "stable.tar.gz" --strip-components=1 -C "${gentoo_dir}"

echo "Run glsa-check (see log files in '${glsa_tmp_dir}')..."
glsa-check -n -p affected > ${GLSA_CHECK_LOG}
echo "Checking if there are any packages without an upgrade path (processing '${GLSA_CHECK_LOG}')"
cat ${GLSA_CHECK_LOG} | grep -A2 "No upgrade path exists for these packages"

updates=$(cat ${GLSA_CHECK_LOG} | grep vulnerable | awk '{print "="$1}' | paste -s -d ' ')
if [ ! -z "${updates}" ];
then
log "Security vulnerabilities found in EESSI version ${version} for ${arch}!"
log "Run the following command to solve them:"
log '```'
log "emerge --ask --oneshot --verbose ${updates}"
log '```'
exitcode=1
else
log "No security vulnerabilities found in EESSI version ${version} for ${arch}!"
exitcode=0
fi
echo "For details see log file '${GLSA_CHECK_LOG}'"

exit ${exitcode}
52 changes: 52 additions & 0 deletions scripts/update-pkgs-NESSI-2023.06-2024-01-24.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
#!/usr/bin/env bash

set -e

mytmpdir=$(mktemp -d --tmpdir=/tmp)

if [ -z "$EPREFIX" ]; then
# this assumes we're running in a Gentoo Prefix environment
EPREFIX=$(dirname $(dirname $SHELL))
fi
echo "EPREFIX=${EPREFIX}"

# collect list of installed packages before updating packages
list_installed_pkgs_pre_update=${mytmpdir}/installed-pkgs-pre-update.txt
echo "Collecting list of installed packages to ${list_installed_pkgs_pre_update}..."
qlist -IRv | sort | tee ${list_installed_pkgs_pre_update}

# update checkout of gentoo repository to sufficiently recent commit
# this is required because we pin to a specific commit when bootstrapping the compat layer
# see gentoo_git_commit in ansible/playbooks/roles/compatibility_layer/defaults/main.yml;

# https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d2cb88c7568aa483b465e1988756e64857b41b1 (2024-01-24)
gentoo_commit='3d2cb88c7568aa483b465e1988756e64857b41b1'
echo "Updating $EPREFIX/var/db/repos/gentoo to recent commit (${gentoo_commit})..."
cd $EPREFIX/var/db/repos/gentoo
time git fetch origin
echo "Checking out ${gentoo_commit} in ${PWD}..."
time git checkout ${gentoo_commit}
cd -

# update libarchive due to https://glsa.gentoo.org/glsa/202309-14
emerge --update --oneshot --verbose '=app-arch/libarchive-3.7.2' # was app-arch/libarchive-3.6.2-r1

# update glibc due to https://glsa.gentoo.org/glsa/202310-03
emerge --update --oneshot --verbose '=sys-libs/glibc-2.37-r7' # was sys-libs/glibc-2.37-r3

# update binutils due to https://glsa.gentoo.org/glsa/202310-12
emerge --update --oneshot --verbose '=net-misc/curl-8.4.0' # was net-misc/curl-8.1.2

# update openssl due to https://glsa.gentoo.org/glsa/202401-18
emerge --update --oneshot --verbose '=sys-libs/zlib-1.3-r2' # was sys-libs/zlib-1.2.13-r1

# collect list of installed packages after updating packages
list_installed_pkgs_post_update=${mytmpdir}/installed-pkgs-post-update.txt
echo "Collecting list of installed packages to ${list_installed_pkgs_post_update}..."
qlist -IRv | sort | tee ${list_installed_pkgs_post_update}

echo
echo "diff in installed packages:"
diff -u ${list_installed_pkgs_pre_update} ${list_installed_pkgs_post_update}

rm -rf ${mytmpdir}

0 comments on commit 78059e6

Please sign in to comment.