forked from EESSI/compatibility-layer
-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #23 from trz42/update_cl_2023.06_20240124
Update compat layer NESSI/2023.06
- Loading branch information
Showing
2 changed files
with
157 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,105 @@ | ||
#!/bin/bash | ||
|
||
function log() { | ||
echo -e "$1" | tee -a ${GLSA_LOG} | ||
} | ||
|
||
function error() { | ||
echo -e "$1" | tee -a ${GLSA_LOG} | ||
exit 1 | ||
} | ||
|
||
glsa_tmp_dir=$(mktemp -d $TMPDIR/glsa_check.XXX) | ||
mkdir -p ${glsa_tmp_dir} | ||
echo "glsa_tmp_dir: '${glsa_tmp_dir}'" | ||
GLSA_LOG=${glsa_tmp_dir}/glsa.log | ||
GLSA_CHECK_LOG=${glsa_tmp_dir}/glsa_check.log | ||
|
||
# Check if an EESSI version has been specified | ||
if [ "$#" -eq 0 ]; then | ||
error "usage: $0 <EESSI version> [EESSI architecture]" | ||
fi | ||
|
||
version="$1" | ||
|
||
# Determine architecture | ||
if [ ! -z "$2" ] | ||
then | ||
arch="$2" | ||
else | ||
arch="$(uname -m)" | ||
fi | ||
|
||
# Check if the EESSI version number encoded in the filename | ||
# is a valid, i.e. matches the format YYYY.DD | ||
if ! echo "${version}" | egrep -q '^20[0-9][0-9]\.(0[0-9]|1[0-2])$' | ||
then | ||
error "${version} is not a valid EESSI version." | ||
fi | ||
|
||
compat_dir="/cvmfs/pilot.nessi.no/versions/${version}/compat/linux/${arch}" | ||
export PATH="${compat_dir}/usr/bin:${compat_dir}/bin" | ||
|
||
echo "Determining installed packages..." | ||
QLIST="qlist -IRv" | ||
if [ -f ${compat_dir}/startprefix ]; then | ||
${compat_dir}/startprefix <<< ${QLIST} | sort > ${glsa_tmp_dir}/qlist_installed_packages.log | ||
fi | ||
|
||
echo "Searching for updates to ${compat_dir}..." | ||
echo " - PATH set to '${PATH}'" | ||
|
||
# Set the gentoo repo dir to a temporary directory to prevent it from having to compare | ||
# all the existing files (which also means that CVMFS has to retrieve them) with new ones. | ||
# Also use the mirror repo, which already contains all metadata. | ||
gentoo_dir=${GENTOO_OVERLAY_DIR:-${glsa_tmp_dir}/gentoo} | ||
|
||
if [ -f "${compat_dir}/etc/portage/repos.conf/gentoo.conf" ]; | ||
then | ||
sed -i "s|location = .*|location = ${gentoo_dir}|" "${compat_dir}/etc/portage/repos.conf/gentoo.conf" | ||
sed -i "s|sync-uri\s*= .*|sync-uri = https://github.com/gentoo-mirror/gentoo.git|" "${compat_dir}/etc/portage/repos.conf/gentoo.conf" | ||
else | ||
cat > "${compat_dir}/etc/portage/repos.conf/gentoo.conf" <<EOF | ||
[DEFAULT] | ||
main-repo = gentoo | ||
sync-git-pull-extra-opts = --quiet | ||
[gentoo] | ||
priority = 1 | ||
location = ${gentoo_dir} | ||
sync-uri = https://github.com/gentoo-mirror/gentoo.git | ||
sync-type = git | ||
auto-sync = Yes | ||
clone-depth = 1 | ||
EOF | ||
fi | ||
|
||
echo "Remove existing sync'ed repo data..." | ||
rm -f ${compat_dir}/etc/portage/repo.postsync.d/sync_gentoo_* | ||
|
||
echo "Update the gentoo overlay by downloading a tarball of the git repo to ${gentoo_dir} ..." | ||
mkdir -p "${gentoo_dir}" | ||
wget -q "https://github.com/gentoo-mirror/gentoo/archive/refs/heads/stable.tar.gz" | ||
tar -xzf "stable.tar.gz" --strip-components=1 -C "${gentoo_dir}" | ||
|
||
echo "Run glsa-check (see log files in '${glsa_tmp_dir}')..." | ||
glsa-check -n -p affected > ${GLSA_CHECK_LOG} | ||
echo "Checking if there are any packages without an upgrade path (processing '${GLSA_CHECK_LOG}')" | ||
cat ${GLSA_CHECK_LOG} | grep -A2 "No upgrade path exists for these packages" | ||
|
||
updates=$(cat ${GLSA_CHECK_LOG} | grep vulnerable | awk '{print "="$1}' | paste -s -d ' ') | ||
if [ ! -z "${updates}" ]; | ||
then | ||
log "Security vulnerabilities found in EESSI version ${version} for ${arch}!" | ||
log "Run the following command to solve them:" | ||
log '```' | ||
log "emerge --ask --oneshot --verbose ${updates}" | ||
log '```' | ||
exitcode=1 | ||
else | ||
log "No security vulnerabilities found in EESSI version ${version} for ${arch}!" | ||
exitcode=0 | ||
fi | ||
echo "For details see log file '${GLSA_CHECK_LOG}'" | ||
|
||
exit ${exitcode} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
#!/usr/bin/env bash | ||
|
||
set -e | ||
|
||
mytmpdir=$(mktemp -d --tmpdir=/tmp) | ||
|
||
if [ -z "$EPREFIX" ]; then | ||
# this assumes we're running in a Gentoo Prefix environment | ||
EPREFIX=$(dirname $(dirname $SHELL)) | ||
fi | ||
echo "EPREFIX=${EPREFIX}" | ||
|
||
# collect list of installed packages before updating packages | ||
list_installed_pkgs_pre_update=${mytmpdir}/installed-pkgs-pre-update.txt | ||
echo "Collecting list of installed packages to ${list_installed_pkgs_pre_update}..." | ||
qlist -IRv | sort | tee ${list_installed_pkgs_pre_update} | ||
|
||
# update checkout of gentoo repository to sufficiently recent commit | ||
# this is required because we pin to a specific commit when bootstrapping the compat layer | ||
# see gentoo_git_commit in ansible/playbooks/roles/compatibility_layer/defaults/main.yml; | ||
|
||
# https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3d2cb88c7568aa483b465e1988756e64857b41b1 (2024-01-24) | ||
gentoo_commit='3d2cb88c7568aa483b465e1988756e64857b41b1' | ||
echo "Updating $EPREFIX/var/db/repos/gentoo to recent commit (${gentoo_commit})..." | ||
cd $EPREFIX/var/db/repos/gentoo | ||
time git fetch origin | ||
echo "Checking out ${gentoo_commit} in ${PWD}..." | ||
time git checkout ${gentoo_commit} | ||
cd - | ||
|
||
# update libarchive due to https://glsa.gentoo.org/glsa/202309-14 | ||
emerge --update --oneshot --verbose '=app-arch/libarchive-3.7.2' # was app-arch/libarchive-3.6.2-r1 | ||
|
||
# update glibc due to https://glsa.gentoo.org/glsa/202310-03 | ||
emerge --update --oneshot --verbose '=sys-libs/glibc-2.37-r7' # was sys-libs/glibc-2.37-r3 | ||
|
||
# update binutils due to https://glsa.gentoo.org/glsa/202310-12 | ||
emerge --update --oneshot --verbose '=net-misc/curl-8.4.0' # was net-misc/curl-8.1.2 | ||
|
||
# update openssl due to https://glsa.gentoo.org/glsa/202401-18 | ||
emerge --update --oneshot --verbose '=sys-libs/zlib-1.3-r2' # was sys-libs/zlib-1.2.13-r1 | ||
|
||
# collect list of installed packages after updating packages | ||
list_installed_pkgs_post_update=${mytmpdir}/installed-pkgs-post-update.txt | ||
echo "Collecting list of installed packages to ${list_installed_pkgs_post_update}..." | ||
qlist -IRv | sort | tee ${list_installed_pkgs_post_update} | ||
|
||
echo | ||
echo "diff in installed packages:" | ||
diff -u ${list_installed_pkgs_pre_update} ${list_installed_pkgs_post_update} | ||
|
||
rm -rf ${mytmpdir} |